Apache httpd ProxyPass with client certificate performance

apache-2.2certificateproxypass

We have here a WebService running on wildfly 9. The web service is only available over ssl (https) and needs client certificates.

If we change the wildfly configuration that the wildfly will communicates directly with the client (means: the wildfly will handle the https connections and will also checking the client certificates) in our testcase one client can makes between 12 and 15 requests per second (incl. getting the server answers).

But if we put in front of the wildfly a apache httpd (V2.2 on CentOS6) proxy (which will then handle the https SSL stuff and will checking the client certificates) the client can then (in the same testcase) only 2 until 5 requests per second.

The config of the httpd proxy is:

Listen 58443
NameVirtualHost *:58443

<VirtualHost *:58443>
  # server SSL settings
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder On
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
  #   Server Certificate:
  SSLCertificateFile /etc/letsencrypt/live/mydomain.de/cert.pem
  #   Server Private Key:
  SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.de/privkey.pem
  #   Server Certificate Chain:
  SSLCertificateChainFile /etc/letsencrypt/live/mydomain.de/chain.pem

  Header always set Strict-Transport-Security "max-age=315360000"

  # Client certifacte authentication
  #   Certificate Authority (CA):
  SSLCACertificateFile /etc/pki/webapp/cacert.pem
  SSLVerifyClient require
  SSLVerifyDepth  2

  # proxy stuff
  <Proxy *>
    AddDefaultCharset Off
    Order Allow,Deny
    Allow from all
  </Proxy>

  # proxy to wildfly instance
  ProxyPass /myappSrv http://localhost:58080/myappSrv min=3 smax=5 ttl=600 iobuffersize=163840
  # ProxyPass /myappSrv http://localhost:58080/myappSrv disablereuse=on
  #  ProxyPassReverse /myappSrv http://localhost:58080/myappSrv
</VirtualHost>

We have already play around with several httpd configuration values:

  • HostnameLookups is set to off
  • Switching to "worker MPM" and playing around with several settings for that (MinSpareServers, MaxSpareServers, ThreadsPerChild, …)
  • AllowOverride is set to none
  • Also we have play around with the ProxyPass parameters (see also comment out ProxyPass lines)

All we did did not bring any significant improvement. But I can not believe the performance is so bad when we use a httpd proxy. Also not sure what's the bottle leck: the httpd proxy? Or the Client certificate check of httpd?

Best Answer

I was having exactly the same issues as described above with Apache HTTPD 2.4 running on CentOS 7. My browser spent around 1 second waiting for the index page. After switching to nginx, the load time dropped below 100 ms and the application suddenly seemed stunningly fast.

Anyway, if you still need to use Apache HTTPD for some reason, it's possible to use nginx as a reverse proxy for it. There are lots of guides out there.

Related Topic