Author |
|
gijs
Joined: 27 Apr 2012 Posts: 189 Location: The Netherlands
|
Posted: Wed 01 May '13 20:04 Post subject: Reducing time to first byte (HTTPS/SSL) |
|
|
Hello,
I'm trying to improve the performance of my website and noticed that https pages take really long to load:
http://www.webpagetest.org/result/130501_DR_RQE/1/details/
http://www.webpagetest.org/result/130501_X1_RRC/1/details/
It appears this problem is caused by using https, because when I open my site without https it loads pretty quickly.
http://www.webpagetest.org/result/130501_4T_RTA/
From what I can see it appears that the main problem is the time to first byte, so my question is how can I reduce this?
My virtualhost for SSL is set like this:
Quote: | <VirtualHost 46.249.47.12:443>
DocumentRoot "C:\Program Files (x86)\Apache Software Foundation\Apache24\htdocs\site 2"
ServerName www.elitegameservers.net
ServerAlias elitegameservers.net
ErrorLog "logs/xgclan.com-error.log"
CustomLog "logs/xgclan.com-access.log" common
SSLEngine on
SSLProtocol all
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile "PATH.csr"
SSLCertificateKeyFile ""PATH".key"
SSLCACertificateFile ""PATH".pem"
</VirtualHost> |
I have replaced the real paths with "PATH" for security reasons.
Btw: If you have any tips on how to reduce the time to first byte in general then those are welcome to
I tried setting up memcache to accomplish this but I didn't notice any changes...
This is my mem cache config:
Quote: | <IfModule mod_mem_cache.c>
CacheEnable mem /
MCacheSize 10000000
MCacheMaxObjectCount 100000
MCacheMinObjectSize 1
MCacheMaxObjectSize 262144
</IfModule> |
Update: Just ran the openssl speed command
See: http://www.elitegameservers.net/log.txt
Last edited by gijs on Wed 01 May '13 22:08; edited 3 times in total |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Wed 01 May '13 21:03 Post subject: |
|
|
Try the following, maybe it helps. This one includes mitigating the Beast attack. Apache Lounge running this.
Code: | ...
...
SSLEngine on
SSLHonorCipherOrder On
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SSLCompression off
...
.... |
|
|
Back to top |
|
gijs
Joined: 27 Apr 2012 Posts: 189 Location: The Netherlands
|
Posted: Wed 01 May '13 21:32 Post subject: |
|
|
That didn't make it much faster to be honest,
I've included the results of the openssl speed benchmark.
You can find them here: http://www.elitegameservers.net/log.txt
Do you have any other ideas?
Maybe using the fastest ones from that benchmark? |
|
Back to top |
|
gijs
Joined: 27 Apr 2012 Posts: 189 Location: The Netherlands
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Fri 19 Jul '13 17:50 Post subject: |
|
|
gijs wrote: |
And saw that RC4 is now insecure, is there any recommended setting which improves the security?
|
RC4 is sill the best solution. There is nothing more secure at the moment.
gijs wrote: |
And is it possible to use Session resumption? |
SSLSessionCache dbm:/path/to/apache/logs/ssl_gcache_data
see http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessioncache |
|
Back to top |
|
gijs
Joined: 27 Apr 2012 Posts: 189 Location: The Netherlands
|
Posted: Sat 20 Jul '13 14:04 Post subject: |
|
|
I'm using: SSLSessionCache dbm:C:\Program Files (x86)\Apache Software Foundation\Apache24\logs\ssl_gcache_data
But I get this error:
Code: | C:\Users\Administrator>"C:\Program Files (x86)\Apache Software Foundation\Apache
24\bin\httpd.exe"
AH00526: Syntax error on line 566 of C:/Program Files (x86)/Apache Software Foun
dation/Apache24/conf/httpd.conf:
SSLSessionCache takes one argument, SSL Session Cache storage ('none', 'nonenotn
ull', 'dbm:/path/to/file')
|
Btw: The article recommends using: shmcb, is this not supported on Windows? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Sat 20 Jul '13 16:50 Post subject: |
|
|
the share memory caching did not work for others and me, while dbm does.
The issue of your is the white space in the path. Since apache comes from the *nix world, it is often kinda allergic to "gaps" / white space in the path from windows. Try to use quotes (") arround the path or use one without space in it. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Sat 20 Jul '13 17:48 Post subject: |
|
|
If the quotes do not work, you'll might also try
C:\Progra~2\Apache~1\Apache24\logs\ssl_gcache_data
(or whatever the 8+3 path is) |
|
Back to top |
|
gijs
Joined: 27 Apr 2012 Posts: 189 Location: The Netherlands
|
Posted: Sat 20 Jul '13 18:25 Post subject: |
|
|
Jan-E wrote: | If the quotes do not work, you'll might also try
C:\Progra~2\Apache~1\Apache24\logs\ssl_gcache_data
(or whatever the 8+3 path is) |
Thank you, the 8+3 path did the trick , I already tried the quotes but they wouldn't work.
James Blond wrote: | the share memory caching did not work for others and me, while dbm does.
|
Strange, I just enabled it by doing this:
SSLSessionCache shmcb:C:\Progra~2\Apache~1\Apache24\logs\ssl_gcache_data(250000)
And of course enabling the module.
And when I do the tls test: https://www.ssllabs.com/ssltest/analyze.html?d=elitegameservers.net
it says that the session resumption works.
Does that mean it works fine?
Btw: I have 2 new questions.
1. How can I activate HTTP Strict Transport Security
2. Is keepalive enabled on SSL if it works for normal connections? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Mon 22 Jul '13 12:25 Post subject: |
|
|
the tests shows that it works now.
gijs wrote: |
1. How can I activate HTTP Strict Transport Security
|
Yes you can, but the question is if there need to do so? Sure user login, user data and stuff should be over ssl. But why the rest? it coast CPU time. Also the request takes a bit longer due the encryption.
gijs wrote: |
2. Is keepalive enabled on SSL if it works for normal connections? |
if you enabled keepalive in generell it works for http and https. |
|
Back to top |
|
gijs
Joined: 27 Apr 2012 Posts: 189 Location: The Netherlands
|
Posted: Mon 22 Jul '13 14:37 Post subject: |
|
|
Thanks James,
The HTTP Strict Transport Security doesn't allow visitors to bypass the certificate, for example when there is an error.
Most people just click next when there is an error in the certificate(for example when a man in the middle attack happens and they change the SSL certificate)
But I suppose it's not something I really have to worry about :p |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Mon 22 Jul '13 16:21 Post subject: |
|
|
I forgot:
in your ssl vhost
Code: |
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
Note that the max-age is provided in seconds. The 31536000 seconds (12 months) in the example. |
|
Back to top |
|