logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Reducing time to first byte (HTTPS/SSL)
Author
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Wed 01 May '13 20:04    Post subject: Reducing time to first byte (HTTPS/SSL) Reply with quote

Hello,

I'm trying to improve the performance of my website and noticed that https pages take really long to load:

http://www.webpagetest.org/result/130501_DR_RQE/1/details/

http://www.webpagetest.org/result/130501_X1_RRC/1/details/

It appears this problem is caused by using https, because when I open my site without https it loads pretty quickly.

http://www.webpagetest.org/result/130501_4T_RTA/

From what I can see it appears that the main problem is the time to first byte, so my question is how can I reduce this?

My virtualhost for SSL is set like this:
Quote:
<VirtualHost 46.249.47.12:443>
DocumentRoot "C:\Program Files (x86)\Apache Software Foundation\Apache24\htdocs\site 2"
ServerName www.elitegameservers.net
ServerAlias elitegameservers.net
ErrorLog "logs/xgclan.com-error.log"
CustomLog "logs/xgclan.com-access.log" common
SSLEngine on
SSLProtocol all
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile "PATH.csr"
SSLCertificateKeyFile ""PATH".key"
SSLCACertificateFile ""PATH".pem"
</VirtualHost>


I have replaced the real paths with "PATH" for security reasons.

Btw: If you have any tips on how to reduce the time to first byte in general then those are welcome to

I tried setting up memcache to accomplish this but I didn't notice any changes...

This is my mem cache config:

Quote:
<IfModule mod_mem_cache.c>
CacheEnable mem /
MCacheSize 10000000
MCacheMaxObjectCount 100000
MCacheMinObjectSize 1
MCacheMaxObjectSize 262144
</IfModule>
Wink

Update: Just ran the openssl speed command
See: http://www.elitegameservers.net/log.txt


Last edited by gijs on Wed 01 May '13 22:08; edited 3 times in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Wed 01 May '13 21:03    Post subject: Reply with quote

Try the following, maybe it helps. This one includes mitigating the Beast attack. Apache Lounge running this.

Code:
...
...
SSLEngine on
SSLHonorCipherOrder On
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SSLCompression off
...
....
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Wed 01 May '13 21:32    Post subject: Reply with quote

That didn't make it much faster to be honest,

I've included the results of the openssl speed benchmark.
You can find them here: http://www.elitegameservers.net/log.txt

Do you have any other ideas?
Maybe using the fastest ones from that benchmark?
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Thu 18 Jul '13 22:51    Post subject: Reply with quote

I just did this test: https://www.ssllabs.com/ssltest/analyze.html?d=www.elitegameservers.net

And saw that RC4 is now insecure, is there any recommended setting which improves the security?

And is it possible to use Session resumption?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 19 Jul '13 17:50    Post subject: Reply with quote

gijs wrote:

And saw that RC4 is now insecure, is there any recommended setting which improves the security?


RC4 is sill the best solution. There is nothing more secure at the moment.

gijs wrote:

And is it possible to use Session resumption?


SSLSessionCache dbm:/path/to/apache/logs/ssl_gcache_data

see http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessioncache
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Sat 20 Jul '13 14:04    Post subject: Reply with quote

I'm using: SSLSessionCache dbm:C:\Program Files (x86)\Apache Software Foundation\Apache24\logs\ssl_gcache_data

But I get this error:

Code:
C:\Users\Administrator>"C:\Program Files (x86)\Apache Software Foundation\Apache
24\bin\httpd.exe"
AH00526: Syntax error on line 566 of C:/Program Files (x86)/Apache Software Foun
dation/Apache24/conf/httpd.conf:
SSLSessionCache takes one argument, SSL Session Cache storage ('none', 'nonenotn
ull', 'dbm:/path/to/file')


Btw: The article recommends using: shmcb, is this not supported on Windows?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sat 20 Jul '13 16:50    Post subject: Reply with quote

the share memory caching did not work for others and me, while dbm does.

The issue of your is the white space in the path. Since apache comes from the *nix world, it is often kinda allergic to "gaps" / white space in the path from windows. Try to use quotes (") arround the path or use one without space in it.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Sat 20 Jul '13 17:48    Post subject: Reply with quote

If the quotes do not work, you'll might also try
C:\Progra~2\Apache~1\Apache24\logs\ssl_gcache_data
(or whatever the 8+3 path is)
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Sat 20 Jul '13 18:25    Post subject: Reply with quote

Jan-E wrote:
If the quotes do not work, you'll might also try
C:\Progra~2\Apache~1\Apache24\logs\ssl_gcache_data
(or whatever the 8+3 path is)


Thank you, the 8+3 path did the trick Smile, I already tried the quotes but they wouldn't work.

James Blond wrote:
the share memory caching did not work for others and me, while dbm does.


Strange, I just enabled it by doing this:
SSLSessionCache shmcb:C:\Progra~2\Apache~1\Apache24\logs\ssl_gcache_data(250000)
And of course enabling the module.

And when I do the tls test: https://www.ssllabs.com/ssltest/analyze.html?d=elitegameservers.net
it says that the session resumption works.
Does that mean it works fine?


Btw: I have 2 new questions.
1. How can I activate HTTP Strict Transport Security
2. Is keepalive enabled on SSL if it works for normal connections?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 22 Jul '13 12:25    Post subject: Reply with quote

gijs wrote:



And when I do the tls test: https://www.ssllabs.com/ssltest/analyze.html?d=elitegameservers.net
it says that the session resumption works.
Does that mean it works fine?


the tests shows that it works now.

gijs wrote:

1. How can I activate HTTP Strict Transport Security


Yes you can, but the question is if there need to do so? Sure user login, user data and stuff should be over ssl. But why the rest? it coast CPU time. Also the request takes a bit longer due the encryption.

gijs wrote:

2. Is keepalive enabled on SSL if it works for normal connections?


if you enabled keepalive in generell it works for http and https.
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Mon 22 Jul '13 14:37    Post subject: Reply with quote

Thanks James,

The HTTP Strict Transport Security doesn't allow visitors to bypass the certificate, for example when there is an error.

Most people just click next when there is an error in the certificate(for example when a man in the middle attack happens and they change the SSL certificate)

But I suppose it's not something I really have to worry about :p
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 22 Jul '13 16:21    Post subject: Reply with quote

I forgot:

in your ssl vhost

Code:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


Note that the max-age is provided in seconds. The 31536000 seconds (12 months) in the example.
Back to top


Reply to topic   Topic: Reducing time to first byte (HTTPS/SSL) View previous topic :: View next topic
Post new topic   Forum Index -> Apache