We have here a WebService running on wildfly 9. The web service is only available over ssl (https) and needs client certificates.
If we change the wildfly configuration that the wildfly will communicates directly with the client (means: the wildfly will handle the https connections and will also checking the client certificates) in our testcase one client can makes between 12 and 15 requests per second (incl. getting the server answers).
But if we put in front of the wildfly a apache httpd (V2.2 on CentOS6) proxy (which will then handle the https SSL stuff and will checking the client certificates) the client can then (in the same testcase) only 2 until 5 requests per second.
The config of the httpd proxy is:
Listen 58443
NameVirtualHost *:58443
<VirtualHost *:58443>
# server SSL settings
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
# Server Certificate:
SSLCertificateFile /etc/letsencrypt/live/mydomain.de/cert.pem
# Server Private Key:
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.de/privkey.pem
# Server Certificate Chain:
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.de/chain.pem
Header always set Strict-Transport-Security "max-age=315360000"
# Client certifacte authentication
# Certificate Authority (CA):
SSLCACertificateFile /etc/pki/webapp/cacert.pem
SSLVerifyClient require
SSLVerifyDepth 2
# proxy stuff
<Proxy *>
AddDefaultCharset Off
Order Allow,Deny
Allow from all
</Proxy>
# proxy to wildfly instance
ProxyPass /myappSrv http://localhost:58080/myappSrv min=3 smax=5 ttl=600 iobuffersize=163840
# ProxyPass /myappSrv http://localhost:58080/myappSrv disablereuse=on
# ProxyPassReverse /myappSrv http://localhost:58080/myappSrv
</VirtualHost>
We have already play around with several httpd configuration values:
HostnameLookups
is set tooff
- Switching to "worker MPM" and playing around with several settings for that (
MinSpareServers
,MaxSpareServers
,ThreadsPerChild
, ...) AllowOverride
is set tonone
- Also we have play around with the ProxyPass parameters (see also comment out ProxyPass lines)
All we did did not bring any significant improvement. But I can not believe the performance is so bad when we use a httpd proxy. Also not sure what's the bottle leck: the httpd proxy? Or the Client certificate check of httpd?
I was having exactly the same issues as described above with Apache HTTPD 2.4 running on CentOS 7. My browser spent around 1 second waiting for the index page. After switching to nginx, the load time dropped below 100 ms and the application suddenly seemed stunningly fast.
Anyway, if you still need to use Apache HTTPD for some reason, it's possible to use nginx as a reverse proxy for it. There are lots of guides out there.