How much of a performance hit for https vs http for apache?
Roughly how much of a performance hit will https take compared to http for the same page? Suppose I can handle 1000 requests/s for abc.php, how much will it decrease by when accessed through https? I know this might be dependent on hardware, config, OS etc etc but I am just looking for a general rule of thumb/estimate.
For a quick&dirty test (i.e. no optimization whatsoever!) I enabled the simple Ubuntu apache2 default website (which just says "It works!") with both http and https (self-signed certificate) on a local Ubuntu 9.04 VM and ran the apache benchmark "ab
" with 10,000 requests (no concurrency). Client and server were on the same machine/VM:
Results for http ("ab -n 10000 http://ubuntu904/index.html
")
- Time taken for tests: 2.664 seconds
- Requests per second: 3753.69 (#/sec)
- Time per request: 0.266ms
Results for https ("ab -n 10000 https://ubuntu904/index.html
"):
- Time taken for tests: 107.673 seconds
- Requests per second: 92.87 (#/sec)
- Time per request: 10.767ms
If you take a closer look (e.g. with tcpdump or wireshark) at the tcp/ip communication of a single request you'll see that the http case requires 10 packets between client and server whereas https requires 16: Latency is much higher with https. (More about the importance of latency here)
Adding keep-alive (ab
option -k
) to the test improves the situation because now all requests share the same connection i.e. the SSL overhead is lower - but https is still measurable slower:
Results for http with keep-alive ("ab -k -n 10000 http://ubuntu904/index.html
")
- Time taken for tests: 1.200 seconds
- Requests per second: 8334.86 (#/sec)
- Time per request: 0.120ms
Results for https with keep-alive ("ab -k -n 10000 https://ubuntu904/index.html
"):
- Time taken for tests: 2.711 seconds
- Requests per second: 3688.12 (#/sec)
- Time per request: 0.271ms
Conclusion:
- In this simple testcase https is much slower than http.
- It's a good idea to enable https support and benchmark your website to see if you want to pay for the https overhead.
- Use wireshark to get an impression of the SSL overhead.
On modern servers, I'd say your bottleneck would be the network and your application, not the encryption. The TLS/SSL in apache will be written in fairly optimised C, so will be dwarfed by your PHP code, especially if you're going to be doing things like database access. Serving static files will probably have a bigger impact, as the encryption will become a bigger part of the whole process. I can't give you any concrete figures, but I'd be surprised if it was more than 5% and probably nearer a couple of percent.