SSL 요청의 성능 문제를 추적하고 있습니다.
SSL 종료도 수행하는 ALB를 사용하여 2개의 EC2 인스턴스(us-east-2a/us-east-2b)에서 2개의 웹 서버를 실행합니다. Route53은 ALB의 CNAME에 대한 CNAME이 있는 도메인을 담당합니다. 모든 것이 2개의 프라이빗 서브넷이 있는 프라이빗 VPC에서 실행되며 두 서브넷 모두 NAT 게이트웨이를 통해 인터넷에 액세스할 수 있는 라우팅 테이블을 가지고 있습니다. 밸런서/EC2 엔드포인트에 연결하기 위해 VPN을 사용하고 있습니다.
HTTP를 사용하여 ALB에 직접 연결(HTTP에서 HTTPS로 리디렉션 없음)
% ab -n10 -c1 \
-H "Host: service.internal.stg" \
http://service.internal.stg/
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking service.internal.stg (be patient).....done
Server Software: Skipper
Server Hostname: service.internal.stg
Server Port: 80
Document Path: /
Document Length: 199 bytes
Concurrency Level: 1
Time taken for tests: 5.015 seconds
Complete requests: 10
Failed requests: 1
(Connect: 0, Receive: 0, Length: 1, Exceptions: 0)
Non-2xx responses: 10
Total transferred: 4059 bytes
HTML transferred: 1989 bytes
Requests per second: 1.99 [#/sec] (mean)
Time per request: 501.536 [ms] (mean)
Time per request: 501.536 [ms] (mean, across all concurrent requests)
Transfer rate: 0.79 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 203 251 51.0 243 315
Processing: 216 251 43.5 221 309
Waiting: 216 250 43.5 221 309
Total: 420 501 77.9 520 617
Percentage of the requests served within a certain time (ms)
50% 520
66% 536
75% 550
80% 612
90% 617
95% 617
98% 617
99% 617
100% 617 (longest request)
HTTPS를 사용하여 ALB에 직접 연결,
% ab -n10 -c1 \
-H "Host: service.internal.stg" \
http://service.internal.stg/
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking service.internal.stg (be patient).....done
Server Software: Skipper
Server Hostname: service.internal.stg
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Server Temp Key: ECDH P-256 256 bits
TLS Server Name: service.internal.stg
Document Path: /
Document Length: 199 bytes
Concurrency Level: 1
Time taken for tests: 9.822 seconds
Complete requests: 10
Failed requests: 0
Non-2xx responses: 10
Total transferred: 4060 bytes
HTML transferred: 1990 bytes
Requests per second: 1.02 [#/sec] (mean)
Time per request: 982.242 [ms] (mean)
Time per request: 982.242 [ms] (mean, across all concurrent requests)
Transfer rate: 0.40 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 633 737 100.4 792 883
Processing: 220 245 31.5 231 303
Waiting: 220 245 31.5 231 303
Total: 858 982 105.1 1039 1114
Percentage of the requests served within a certain time (ms)
50% 1039
66% 1041
75% 1061
80% 1108
90% 1114
95% 1114
98% 1114
99% 1114
100% 1114 (longest request)
연결 시간이 훨씬 더 길어졌습니다. 그러나 HTTP Keepalive(-k)를 사용하여 ab를 실행하면 단 한 번의 느린 요청(~900ms)만 가능하지만 그 동안에는 ~320ms에 도달하는 것이 꽤 좋습니다.
% ab -n10 -c1 \
-H "Host: service.internal.stg" \
http://service.internal.stg/
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking service.internal.stg (be patient).....done
Server Software: Skipper
Server Hostname: service.internal.stg
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Server Temp Key: ECDH P-256 256 bits
TLS Server Name: service.internal.stg
Document Path: /
Document Length: 199 bytes
Concurrency Level: 1
Time taken for tests: 3.242 seconds
Complete requests: 10
Failed requests: 1
(Connect: 0, Receive: 0, Length: 1, Exceptions: 0)
Non-2xx responses: 10
Keep-Alive requests: 10
Total transferred: 4109 bytes
HTML transferred: 1989 bytes
Requests per second: 3.08 [#/sec] (mean)
Time per request: 324.238 [ms] (mean)
Time per request: 324.238 [ms] (mean, across all concurrent requests)
Transfer rate: 1.24 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 92 292.2 0 924
Processing: 217 232 22.7 223 279
Waiting: 217 232 22.6 223 279
Total: 217 324 289.5 224 1146
Percentage of the requests served within a certain time (ms)
50% 224
66% 227
75% 269
80% 279
90% 1146
95% 1146
98% 1146
99% 1146
100% 1146 (longest request)
그러면 ALB의 SSL 종료 성능이 의심스럽습니다. 그러나 이를 처리/작업하는 방법을 잘 모르겠습니다.
추가 정보: - 내 위치에서 EC2 인스턴스로 핑(Ping)
% ping 10.1.1.95 -c 10 ~
PING 10.1.1.95 (10.1.1.95): 56 data bytes
64 bytes from 10.1.1.95: icmp_seq=0 ttl=61 time=203.177 ms
64 bytes from 10.1.1.95: icmp_seq=1 ttl=61 time=202.369 ms
64 bytes from 10.1.1.95: icmp_seq=2 ttl=61 time=317.346 ms
64 bytes from 10.1.1.95: icmp_seq=3 ttl=61 time=232.651 ms
64 bytes from 10.1.1.95: icmp_seq=4 ttl=61 time=252.859 ms
64 bytes from 10.1.1.95: icmp_seq=5 ttl=61 time=271.837 ms
64 bytes from 10.1.1.95: icmp_seq=6 ttl=61 time=204.135 ms
64 bytes from 10.1.1.95: icmp_seq=7 ttl=61 time=208.154 ms
64 bytes from 10.1.1.95: icmp_seq=8 ttl=61 time=201.772 ms
64 bytes from 10.1.1.95: icmp_seq=9 ttl=61 time=208.608 ms
--- 10.1.1.95 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 201.772/230.291/317.346/37.138 ms
- 동일한 VPC의 EC2 인스턴스에서 실행되는 AB
ubuntu@ip-10-1-11-72:~$ ab -n10 -c1 \
-H "Host: service.internal.stg" \
http://service.internal.stg/
This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking service.internal.stg (be patient).....done
Server Software: Skipper
Server Hostname: service.internal.stg
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
TLS Server Name: service.internal.stg
Document Path: /
Document Length: 199 bytes
Concurrency Level: 1
Time taken for tests: 0.164 seconds
Complete requests: 10
Failed requests: 2
(Connect: 0, Receive: 0, Length: 2, Exceptions: 0)
Non-2xx responses: 10
Total transferred: 4058 bytes
HTML transferred: 1988 bytes
Requests per second: 61.11 [#/sec] (mean)
Time per request: 16.363 [ms] (mean)
Time per request: 16.363 [ms] (mean, across all concurrent requests)
Transfer rate: 24.22 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 4 6 2.6 5 11
Processing: 8 11 2.1 11 15
Waiting: 8 11 2.1 11 15
Total: 12 16 4.0 15 24
Percentage of the requests served within a certain time (ms)
50% 15
66% 16
75% 20
80% 21
90% 24
95% 24
98% 24
99% 24
100% 24 (longest request)
- 동일한 VPC의 EC2 인스턴스에서 실행되는 AB가 웹 서버에 도달합니다.
ubuntu@ip-10-1-11-72:~$ ab -n10 -c1 -k \
> -H "Host: service.internal.stg" \
> http://10.1.1.95:9999/
This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 10.1.1.95 (be patient).....done
Server Software: Skipper
Server Hostname: 10.1.1.95
Server Port: 9999
Document Path: /
Document Length: 199 bytes
Concurrency Level: 1
Time taken for tests: 0.075 seconds
Complete requests: 10
Failed requests: 0
Non-2xx responses: 10
Keep-Alive requests: 10
Total transferred: 4110 bytes
HTML transferred: 1990 bytes
Requests per second: 133.79 [#/sec] (mean)
Time per request: 7.475 [ms] (mean)
Time per request: 7.475 [ms] (mean, across all concurrent requests)
Transfer rate: 53.70 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.1 0 0
Processing: 6 7 1.4 7 11
Waiting: 6 7 1.4 7 11
Total: 6 7 1.4 7 11
Percentage of the requests served within a certain time (ms)
50% 7
66% 8
75% 8
80% 9
90% 11
95% 11
98% 11
99% 11
100% 11 (longest request)
ubuntu@ip-10-1-11-72:~$
답변1
연결 설정에는 클라이언트에서 서버로의 요청이 거의 필요하지 않습니다. TLS 버전에 따라 메모리에서 1에서 4 사이입니다.
서버에 대한 대기 시간은 200~320ms이며 매우 다양합니다. 대기 시간이 길다는 것은 SSL 세션 설정이 해당 위치에서 느린 이유이며, 로컬에서 실행할 때 훨씬 더 빠른 이유도 설명합니다.
솔루션에는 다음이 포함될 수 있습니다.
- 귀하 또는 귀하의 사용자에게 더 가까운 서버를 찾거나 위치정보를 사용하여 여러 서버를 실행합니다.
- CloudFront를 사용하여 엣지에서 TLS 종료/오프로드를 수행합니다. 엣지에서 https 종료를 수행하는 것은 아마도 훌륭한 솔루션이 아닐 수도 있지만, 아마도 CloudFront 또는 CDN이 더 최적화된 네트워크를 사용하여 이를 더 효율적으로 만들 수 있을 것입니다.
- 더 효율적인 최신 버전의 TLS를 강제 적용합니다.