Nginx Performance Tuning With KAE When Processing HTTPS Connection Requests

Configure OpenSSL and Nginx to use KAE. Compare Nginx performance in processing HTTPS connection requests when KAE is enabled and disabled.

Create and configure the OpenSSL configuration file for Nginx to use KAE.

Create an openssl.cnf file.
1

vi openssl.cnf

Press i to enter the insert mode, add the following content to openssl.cnf, and save openssl.cnf to the /home directory:

         
              openssl_conf=openssl_def
[openssl_def]
engines=engine_section
[engine_section]
kae=kae_section
[kae_section]
engine_id=kae
dynamic_path=/usr/local/lib/engines-1.1/kae.so
default_algorithms=ALL
init=1

Press Esc, type :wq!, and press Enter to save the file and exit.
Enable KAE.
```
export OPENSSL_CONF=/home/openssl.cnf
```

Modify the Nginx configuration file to prepare for the Nginx performance test. The test compares the Nginx performance in processing HTTPS connection requests when KAE is enabled and disabled.

Open the /usr/local/nginx/conf/nginx.conf file.

         
              vi /usr/local/nginx/conf/nginx.conf

Press i to enter the insert mode, and set ssl_ciphers to AES256-GCM-SHA384 to use the RSA algorithm suite.

         
              ssl_ciphers  AES256-GCM-SHA384;

Press Esc, type :wq!, and press Enter to save the file and exit.

Disable KAE, start the Nginx service, and perform a pressure test.

Perform the following operations on the server:

Cancel the KAE environment variable to use the pure CPU computing power without KAE (soft computing power) by default.

           
                unset OPENSSL_CONF

Start the Nginx service.

           
                taskset -c 16-25 /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

Monitor the VF queue consumption.

If no extra virtual device is created, the default number of VF queues is 256. When KAE is not enabled, the VF queue is not consumed and remains the default number 256.

            
                 watch -n 0.2 cat /sys/class/uacce/hisi_*/available_instances

Perform the following operations on the client:

Use the httpress tool to perform a pressure test on the server.

          
               httpress -n 500000 -c 100 -t 100 https://IP:port/index.html

Parameters in the command are described as follows:

-n: number of requests
-t: number of threads
-c: number of concurrent tasks
IP: IP address of the tested server
port: port number of the tested server

Test result before KAE is enabled: The server completes 5,330 requests per second.

Enable KAE, start the Nginx service, and perform a pressure test.

Perform the following operations on the server:

Configure the KAE environment variable to use the computing power empowered by KAE (hard computing power) by default.

           
                export OPENSSL_CONF=/home/openssl.cnf

Start the Nginx service.

           
                taskset -c 16-25 /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

Monitor the VF queue consumption. If no extra virtual device is created, the default number of VF queues is 256. When KAE is enabled, the VF queue is consumed and the number is less than 256.

           
                watch -n 0.2 cat /sys/class/uacce/hisi_*/available_instances

Perform the following operations on the client:

Use the httpress tool to perform a pressure test on the server.

          
               httpress -n 500000 -c 100 -t 100 https://IP:port/index.html

Parameters in the command are described as follows:

-n: number of requests
-t: number of threads
-c: number of concurrent tasks
IP: IP address of the tested server
port: port number of the tested server

Test result after KAE is enabled: The server completes 10,700 requests per second.

According to the performance test results in 3 and 4, the performance metrics before and after KAE is enabled are 5,330 rps and 10,700 rps, respectively. The performance is improved by about 100%.

Parent topic: Enabling KAE Encryption and Decryption on a Physical Machine