|Apache Version||2.0.45 with worker MPM and MOD_SSL|
|Test Hardware||Sun Fire 280R|
2 x 750 MHz UltraSPARC III CPUs w/8 MBs cache each
8 gigabytes RAM
Winchester Systems UltraWide SCSI RAID 5
|Test Operating System||Solaris 9|
After much frustration at the poor out-of-the-box SSL performance I was getting with Apache, verses the iPlanet 6.0 webserver I was also running, I decided to see just how much I could optimize Apache to improve performance. I like Apache a lot more than iPlanet (now called Sun ONE), since there are not lots of slow Java-based GUIs standing in-between me and configuring the application, and in my experience, there have been fewer bugs with Apache. So, after careful tweeking and testing, here are my suggestions for how to get the best possible performance out of Apache SSL on Solaris 9. Most of these suggestions are applicable to other systems as well. I plan on updating this page with more complete information, better benchmarks, and future versions of Apache when I have time.
After great effort, the result was an Apache configuration that is only a little slower than iPlanet, and certainly fine for low and medium scale webservers. For high-volume webservers, it appears as though one could get better performance with the Sun ONE Web Server (formerly iPlanet, formerly Netscape Enterprise), or perhaps substantially better performance with Zeus. Also, an SSL acceleration card, like Suntm] Crypto Accelerator 1000 could help greatly when using any Webserver that is supported by it.
Before I began my testing, I performed a somewhat crude benchmark of the performance of Apache (with the MPM worker module) verses iPlanet 6, running a CGI-heavy test suite on a Sun Fire 280R. My results were
|iPlanet||0.153||19.67||1.5||>200 failed trans|
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLWith just this single change, the performance when repeating the same test above was as follows!
SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512
After all of these changes and additional testing, I created a more stable benchmark, consisting of random accesses by 4 concurrent users to a set of URLs consisting of 1,000 CGI-generated pages plus 1,000 instances of a page that used server-side includes, run for 1 minute using Siege. CPU Max % is approximate, and iPlanet hides much of it's usage through separate Cgistub processes that wasn't included. Test was run from a machine on the same LAN as the server, over a 100 Mbps network, to minimize network latency.
So, overall, for a CGI-intensive webserver (after all, isn't that usually the type on which you would want to run SSL?), I could get Apache to serve up SSL-encrypted Web pages about 15% slower than iPlanet, and handle about 88% of the load that the same server with iPlanet could. Not bad at all for most applications.