Apache :: HTTPS very slow or not responding

Author QmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Fri 17 Jan '14 15:38Post subject: HTTPS very slow or not responding I have a problem with slow Apache 2.4.4. It's only related with https which is in general 5 time slower than the same site via http. I see this difference on the monitoring software which is measuring response time to http and https every 5 seconds. In some cases i got even timeouts in the browser on https while in the same time site is opening over http- slowly but opens always.Apache runs on Win2k8 Enterprise, Version 2.4.4 x64 - VC10. Server is connected with quite poor internet connection as it's located in Africa. Despite of connection quality http is working properly all the time.Back to topjrauteJoined: 13 Sep 2013Posts: 188Location: Rheinland, GermanyPosted: Fri 17 Jan '14 18:31Post subject:Can you tell us something about your configuration (httpd) and the ssl implementation?For example cipher suites including "dh-keys" with more than 2048 bit take some time.And for windows systems there are some parameters which helps to improve performance.GreetsJRBack to topQmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Sat 18 Jan '14 17:31Post subject:ssl.conf : Code:Listen 192.168.1.65:443 httpsAddType application/x-x509-ca-cert .crtAddType application/x-pkcs7-crl.crlSSLPassPhraseDialogbuiltinSSLSessionCache"shmcb:C:/Apache24/logs/ssl_scache(512000)"SSLSessionCacheTimeout300Mutex defaultDocumentRoot "C:/Apache24/htdocs"ServerName mydomain.comServerAlias www.mydomain.comServerAlias another_mydomain.comServerAlias www.another_mydomain.comErrorLog "log/apache/error.log"SSLEngine onSSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUMSSLCertificateFile "conf/ssl/server.crt"SSLCertificateKeyFile "conf/ssl/server.key"SSLCertificateChainFile "conf/ssl/ca_bundle.crt"SSLOptions +StdEnvVarsSSLOptions +StdEnvVarsBrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0Back to topjrauteJoined: 13 Sep 2013Posts: 188Location: Rheinland, GermanyPosted: Sat 18 Jan '14 21:10Post subject:Ok. How did you measure the difference?Is it a complex web-site?What kind of browser do you use? (if possible pls test with firefox).Your ssl.conf looks ok, although i would change theCode:BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0The newer MSIEs should not have any problems with ssl renegotiation:Therefore i would try: Code:BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0BrowserMatch "MSIE [16-9]" ssl-unclean-shutdownBesides all this i would like to ask if the server has more than one nic installed and if so, how the binding is configured since you use a dedicated ip for the vhost configuration. sometimes it's a problem with the binding.finally check your firewall if the server is placed in a dmz.Last edited by jraute on Mon 27 Jan '14 17:36; edited 1 time in totalBack to topQmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Mon 20 Jan '14 9:48Post subject: jraute wrote:Ok. How did you measure the difference?I have monitoring system which is constantly checking the connection both to http and https. I'm getting alert notifications only for https. jraute wrote:Is it a complex web-site?What do you mean by complex web-site? jraute wrote:What kind of browser do you use? (if possible pls test with firefox).Checked in FF as well - doesn't work either. jraute wrote:Your ssl.conf looks ok, although i would change the BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0The newer MSIEs should not have any problems with ssl renegotiation:Therefore i would try:BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown \downgrade-1.0 force-response-1.0BrowserMatch "MSIE [16-9]" ssl-unclean-shutdownThanks, i will consider this change. jraute wrote:Besides all this i would like to ask if the server has more than one nic installed and if so, how the binding is configured since you use a dedicated ip for the vhost configuration. Sometimes it's a problem with the binding.This is virtual machine with one virtual nic. I have multiple private network IPs configured, Apache runs on certain IP, not shared with any other services.jraute wrote:finally check your firewall if the server is placed in a dmz.Firewall configuration hasn't been changed for more than a year. I wonder if https connection is much more "resources-needed" than http, if it requires more stable internet connection, more server resources etc. - on the server side ? As i mentioned server is located in Africa, with quite poor quality connection - i wonder if that could have impact. On the other hand http works all the time, without any problems.Back to topSteffenModeratorJoined: 15 Oct 2005Posts: 2873Location: Hilversum, NL, EUPosted: Mon 20 Jan '14 13:07Post subject:Are the any indications in the Apache error.log and/or Windows Event viewer ?Do you have in your httpd.conf:AcceptFilter http none AcceptFilter https none EnableSendfile off EnableMMAP offBack to topQmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Mon 20 Jan '14 14:18Post subject: Steffen wrote:Are the any indications in the Apache error.log and/or Windows Event viewer ? Error log is clear. In event viewer I have found two errors, both of them shows up only where Apache is restarted : Code:"Faulting application name: httpd.exe, version: 2.4.4.0, time stamp: 0x5127dda0Faulting module name: SSLEAY32.dll, version: 1.0.1.5, time stamp: 0x5123e06cException code: 0xc0000005Fault offset: 0x0000000000015e99Faulting process id: 0x7360Faulting application start time: 0x01cf14633bd64727Faulting application path: C:\Apache24\bin\httpd.exeFaulting module path: C:\Apache24\bin\SSLEAY32.dllReport Id: b159de2a-8056-11e3-91ac-005056934851" Code:Faulting application name: httpd.exe, version: 2.4.4.0, time stamp: 0x5127dda0Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24Exception code: 0xc0000374Fault offset: 0x00000000000c4102Faulting process id: 0x6bacFaulting application start time: 0x01cf1462efff97ebFaulting application path: C:\Apache24\bin\httpd.exeFaulting module path: C:\Windows\SYSTEM32\ntdll.dllReport Id: 7b2f4f2f-8056-11e3-91ac-005056934851 Steffen wrote:Do you have in your httpd.conf:AcceptFilter http none AcceptFilter https none EnableSendfile off EnableMMAP offYes.I belive that first thing i would do is upgrade to 2.4.7 version.Back to topSteffenModeratorJoined: 15 Oct 2005Posts: 2873Location: Hilversum, NL, EUPosted: Mon 20 Jan '14 14:34Post subject:Yep, upgrade first to 2.4.7, quite some fixes also in the slow/bad connection area.Back to topjrauteJoined: 13 Sep 2013Posts: 188Location: Rheinland, GermanyPosted: Mon 20 Jan '14 18:29Post subject: Qmpeltaty wrote: jraute wrote:Is it a complex web-site?What do you mean by complex web-site?I thought about webpages with multiple elements, scripts and dynamic content. That can be problematic.Btw did you implement mod_deflate?Back to topQmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Tue 21 Jan '14 12:11Post subject: jraute wrote: Qmpeltaty wrote: jraute wrote:Is it a complex web-site?What do you mean by complex web-site?I thought about webpages with multiple elements, scripts and dynamic content. That can be problematic.Btw did you implement mod_deflate?In that meaning - Yes, my sites are complex. Most of the content is served by JBoss application server fronted by this instance apache i have problem with - through mod_jk module. Regarding mod_deflate - it's implemented. Deflate.conf : Code:SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary #AddOutputFilterByType DEFLATE text/css application/javascriptAddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascriptBrowserMatch ^Mozilla/4 gzip-only-text/htmlBrowserMatch ^Mozilla/4\.0[678] no-gzipBrowserMatch \bMSI[E] !no-gzip !gzip-only-text/htmlDeflateCompressionLevel 9DeflateFilterNote Input input_info DeflateFilterNote Output output_info DeflateFilterNote Ratio ratio_info Back to topjrauteJoined: 13 Sep 2013Posts: 188Location: Rheinland, GermanyPosted: Tue 21 Jan '14 15:35Post subject:Upgrading is surely a good thing.A last idea: Have you measured the performance via https to a simple html page on your server?If that speed is nearly the same as with http, then your page-layout/-configuration is the problem.(i remember a guy who analyzed the page speed and started with a site having 12 seconds loading time. after several improvements mainly in the page-design the same content loaded in 1.3 seconds.)if it is even with a simple html page the same problem then you should try to analyse the network traffic and what tcp packages are doing.[joke mode on] the nsa needs some time to decrypt the ssl session[joke mode off]Back to topQmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Wed 22 Jan '14 15:15Post subject: jraute wrote:Upgrading is surely a good thing.A last idea: Have you measured the performance via https to a simple html page on your server?My monitoring system is checking connection time to simple html page - when https is working slow, http is working fine.Back to topjrauteJoined: 13 Sep 2013Posts: 188Location: Rheinland, GermanyPosted: Wed 22 Jan '14 22:13Post subject:Ok, there is a webpagetest site which analyzes what is going on while loading the page.http://www.webpagetest.orgMaybe it helps you indentifying the part of the loading process which costs most of the time. (Just click on the waterfall view)After that it will be a bit easier to find a solution, although i am not sure if there will be a solution.Last edited by jraute on Fri 24 Jan '14 10:54; edited 1 time in totalBack to topJames BlondModeratorJoined: 19 Jan 2006Posts: 6998Location: Germany, Next to HamburgBack to topQmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Fri 24 Jan '14 14:33Post subject:Assessment failed: Unable to connect to serverBack to topjrauteJoined: 13 Sep 2013Posts: 188Location: Rheinland, GermanyPosted: Fri 24 Jan '14 15:11Post subject:Ok, thanks for coming back and sharing the result.If the assessment fails it means that the handshake didn't work. There can be several reasons for that behaviour:Timeout, blocking scripts, firewall, unknown extensions, a wrong order for cipher suites.pls check this: http://sourceforge.net/mailarchive/message.php?msg_id=31805015And maybe the problem can be easily solved by defining a working ssl cipher suite combination.GreetsJRBack to topQmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Fri 24 Jan '14 15:27Post subject:As i said this server is located in Africa, where connection quality is quite poor, however http works all the time. Apache has just been upgraded to 2.4.7 and it didn't help.Back to topjrauteJoined: 13 Sep 2013Posts: 188Location: Rheinland, GermanyPosted: Sat 25 Jan '14 1:21Post subject:Some more ideas:1. do you have rdp connection to your server? Then you could test https://127.0.0.1/... and look if that works.2. if possible try to test with cipher suites of the "medium" class.3. check if the keys and the ca-file are working.Back to topQmpeltatyJoined: 06 Feb 2008Posts: 182Location: PolandPosted: Mon 27 Jan '14 18:04Post subject: jraute wrote:Some more ideas:1. do you have rdp connection to your server? Then you could test https://127.0.0.1/... and look if that works.I did, it doesn't work local either.jraute wrote:2. if possible try to test with cipher suites of the "medium" class.How should i do this ? Should i remove the HIGH ciphers from the ssl.conf ? jraute wrote:3. check if the keys and the ca-file are working.How to check it ?Back to topjrauteJoined: 13 Sep 2013Posts: 188Location: Rheinland, GermanyPosted: Mon 27 Jan '14 18:56Post subject:Ok, back to start with ssl.After the update to 2.4.7 it could be helpful to look at your log-file when apache starts. Is the ssleay-error still there? Maybe we should look at that as well.For a test you could try to remove the "high" definition for the SSLCipherSuite and comment out the SSLCertificateChainFile.Then you would get a certificate key-file combination which cannot be verified against a ca-chain but for testing who cares - sometimes it's good to start as simple as possible.(in this case in a browser you would have to accept that the key is not signed by a trusted ca and go on ...)If you are not sure if the certificate is working you can build one by yourself with openssl. (just ask for a howto, if needed)for the test try to start with smaller keys, because keys with more than 1024 bits in combination with some cipher suites can cause delays.GreetsJRLast edited by jraute on Mon 27 Jan '14 19:08; edited 2 times in totalBack to top