Apache SSL Slow

Posted Sun Jan 06 @ 01:44:04 PM PDT 2013

A month ago, I had this crazy scenario:

  1. New HTTPS connections to my web applications would take upwards of 10 seconds, or completely timeout
  2. If you could get connected to an application over SSL, all subsequent HTTPS requests would finish quickly
  3. My apache logs, CPU and memory usage were all normal
  4. Non-secure HTTP was fast
  5. Using curl -v, I determined the SERVER HELLO message in the TLS handshake was responsible for the delay
  6. The problem started in the late morning, and continued to the early afternoon, every weekday

Maybe someone more experienced could immediately identify the problem, but I had no idea what was going on. So I did what all desperate and incompetent system admins do: restart. I restarted Apache -- didn't fix it. I restarted the server -- didn't fix it.

After Googling my brains out, I thought maybe I didn't have enough entropy to generate the random numbers required for SSL. I checked my apache config, and found I was using /dev/urandom (which is good because it is non-blocking), and /proc/sys/kernel/random/entropy_avail always had around 150 bytes of entropy. Not the problem.

Then I thought maybe my SSL keys were messed up for some reason. I generated a new key, CSR, and got a new SSL certificate from my CA. After installing it, I restarted apache and...still no relief.

Next I thought the ciphers apache was using for SSL were too slow. So I bumped up the priority on the medium security ciphers, and still no fix.

The Fix

Finally, I learned about the apache2ctl status command. I used that, and determined that I had too many clients connecting to my server (an embarrassingly simple problem). By default, Apache only allows 150 connections to the server. I went into my apache config file, and bumped up the max connections to 256. After reloading apache, that fixed the problem, for a while. So when the problem started happening again, I bumped up MaxClients to 512.

But when I restarted apache, I got this warning:

WARNING: MaxClients of 512 exceeds ServerLimit value of 256 servers, lowering MaxClients to 256. To increase, please see the ServerLimit directive.

So I put this in my apache config file:

ServerLimit 512 MaxClients 512

When I reloaded apache, I didn't get the warning. But the new limit didn't seem to take effect. Ultimately, I had to completely stop the apache service, and then start it back up (for whatever reason, restart doesn't work).

<< Home