2

We have here a WebService running on wildfly 9. The web service is only available over ssl (https) and needs client certificates.

If we change the wildfly configuration that the wildfly will communicates directly with the client (means: the wildfly will handle the https connections and will also checking the client certificates) in our testcase one client can makes between 12 and 15 requests per second (incl. getting the server answers).

But if we put in front of the wildfly a apache httpd (V2.2 on CentOS6) proxy (which will then handle the https SSL stuff and will checking the client certificates) the client can then (in the same testcase) only 2 until 5 requests per second.

The config of the httpd proxy is:

Listen 58443 NameVirtualHost *:58443 <VirtualHost *:58443> # server SSL settings SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS # Server Certificate: SSLCertificateFile /etc/letsencrypt/live/mydomain.de/cert.pem # Server Private Key: SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.de/privkey.pem # Server Certificate Chain: SSLCertificateChainFile /etc/letsencrypt/live/mydomain.de/chain.pem Header always set Strict-Transport-Security "max-age=315360000" # Client certifacte authentication # Certificate Authority (CA): SSLCACertificateFile /etc/pki/webapp/cacert.pem SSLVerifyClient require SSLVerifyDepth 2 # proxy stuff <Proxy *> AddDefaultCharset Off Order Allow,Deny Allow from all </Proxy> # proxy to wildfly instance ProxyPass /myappSrv http://localhost:58080/myappSrv min=3 smax=5 ttl=600 iobuffersize=163840 # ProxyPass /myappSrv http://localhost:58080/myappSrv disablereuse=on # ProxyPassReverse /myappSrv http://localhost:58080/myappSrv </VirtualHost>

We have already play around with several httpd configuration values:

  • HostnameLookups is set to off
  • Switching to "worker MPM" and playing around with several settings for that (MinSpareServers, MaxSpareServers, ThreadsPerChild, ...)
  • AllowOverride is set to none
  • Also we have play around with the ProxyPass parameters (see also comment out ProxyPass lines)

All we did did not bring any significant improvement. But I can not believe the performance is so bad when we use a httpd proxy. Also not sure what's the bottle leck: the httpd proxy? Or the Client certificate check of httpd?

Improve this question
2
  • We are facing the same problem, did you find a solution? Commented Dec 21, 2016 at 15:48
  • Unfortunately not. I think best way is to don't use a apache proxy in front of the web service. But it's not possible in our case. But we have as a workaround changed our webservice in such way that the clients must not so often call a webservice method. This works for us but I know this is not the solution ... Commented Dec 21, 2016 at 15:53

1 Answer 1

Reset to default
0

I was having exactly the same issues as described above with Apache HTTPD 2.4 running on CentOS 7. My browser spent around 1 second waiting for the index page. After switching to nginx, the load time dropped below 100 ms and the application suddenly seemed stunningly fast.

Anyway, if you still need to use Apache HTTPD for some reason, it's possible to use nginx as a reverse proxy for it. There are lots of guides out there.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.