nginx/perf

edwintorok · edwintorok · commit c71f84643a8e · 2025-06-03T17:44:44.000+01:00
diff --git a/scripts/stunnel-perf/.gitignore b/scripts/stunnel-perf/.gitignore
@@ -0,0 +1 @@
+tmp/
diff --git a/scripts/stunnel-perf/benchmark.sh b/scripts/stunnel-perf/benchmark.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+# Set a machine into benchmarking mode.
+#
+# For native Linux, and Intel-only for now (AMD has a different way of disabling turbo)
+# 
+# References: https://llvm.org/docs/Benchmarking.html
+
+# This is for Fedora 42, adapt for your own OS
+declare -a packages=(
+  "cpupower" "tuned" "ss" "turbostat" "lscpu" "lspci" "ip" "ethtool" "jq" "nginx" "hitch" "stunnel" "iperf3" "nuttcp" "httperf" "git" "hyperfine" "varnish" "socat" "curl"
+)
+
+# httperf --server $OTHER_IP --port 8080 --num-calls 3000 --num-conns=1 --uri /hello
+
+install_packages()
+{
+  sudo dnf install "${packages[@]}"
+}
+
+stop_services()
+{
+  sudo cp /lib/systemd/system/rescue.target /lib/systemd/system/benchmark.target
+  sudo systemctl add-wants benchmark.target sshd.service
+  sudo systemctl isolate benchmark.target
+  sudo systemctl list-units --state=running
+}
+
+start_services()
+{
+  sudo systemctl isolate multi-user.target
+}
+
+set_cpu()
+{
+  # Prevent frequency-scaling
+  sudo cpupower frequency-set -g performance
+
+  # Prevent entering deep C-states to reduce latency and avoid menu governor bugs (there was one recently)
+  # Although if we completely disable C1 then we are going to hit RAPL power limits immediately,
+  # which results in a 30% perf hit on single-stream iperf
+  # Disable just deeper C states, which avoids the big perf hit (although now we're exposed to menu governor bugs)
+  sudo cpupower idle-set -D 2
+
+  # Disable Turbo Boost for more stable measurements
+  # cpupower set --turbo-boost 0 doesn't work when the driver is intel_pstate instead of cpufreq
+  sudo sh -c 'echo 1 >/sys/devices/system/cpu/intel_pstate/no_turbo'
+
+  # AMD
+  sudo cpupower set -m passive
+  sudo cpupower set --turbo-boost 0
+
+  sudo cpupower -c all set --perf-bias 0
+
+  # Bring system into a consistent state
+  sudo tuned-adm profile network-throughput
+  
+  # we could use tuned-adm verify, but there is a bug where it tries to read non-existent hung_task_timeout_secs
+  # that only fails on network-latency, not network-throughput though
+  sudo tuned-adm verify
+}
+
+describe()
+{
+  # Check all the settings we've changed above
+
+  # List running processes
+  set -x
+  sudo systemctl list-units --state=running
+  LIBPROC_HIDE_KERNEL=1 ps -ejH
+
+  sudo cpupower -c all frequency-info
+  sudo cpupower -c all idle-info
+  sudo cpupower -c all info
+  sudo cat /sys/devices/system/cpu/intel_pstate/no_turbo
+  sudo tuned-adm profile_info
+  sudo ss -neopatium
+
+  lscpu
+  sudo turbostat true
+  sudo lspci -k
+  sudo ip a
+
+  for P in /sys/class/net/*; do
+    IFACE=$(basename "${P}")
+    sudo ethtool "${IFACE}"
+    sudo ethtool -k "${IFACE}"
+  done
+
+  sudo sos report --batch
+
+  set +x
+}
+
+open_ports()
+{
+  # iperf3, nuttcp
+  for P in 5201 5000 5101 9080 9443 9444 9445 9446; do
+    sudo firewall-cmd --add-port "${P}/tcp"
+  done
+}
+
+iperf3_server()
+{
+  iperf3 -s
+}
+
+iperf3_client()
+{
+  # TODO: autodetect IP
+  iperf3 --json --logfile iperf3.json -c  10.70.58.43
+  iperf3 --json --logfile iperf3_2.json -c  10.70.58.43 -P2 
+  iperf3 --json --logfile iperf3_4.json -c  10.70.58.43 -P4
+}
diff --git a/scripts/stunnel-perf/server.sh b/scripts/stunnel-perf/server.sh
@@ -0,0 +1,143 @@
+#!/bin/sh
+set -eu
+
+# Use a single, fixed cipher for consistent tests across different tools
+TLS_CIPHERS=ECDHE-RSA-AES256-GCM-SHA384
+TLS_PROTO=TLSv1.2
+
+# Use non-root ports
+NGINX_PORT=9080
+NGINX_TLS_PORT=9443
+STUNNEL_TLS_PORT=9444
+HITCH_TLS_PORT=9445
+SOCAT_TLS_PORT=9446
+
+REPEAT=${REPEAT-30}
+
+PEM=stunnel.pem
+TESTDIR="${PWD}/tmp"
+RAMDIR=/dev/shm/stunnel-test
+mkdir -p "${RAMDIR}" "${TESTDIR}"
+
+cd "${TESTDIR}"
+
+test -f "${PEM}" || openssl req -new -subj "/C=GB/CN=foo.example.com" -days 10 -x509 -noenc -batch -out "${PEM}" -keyout  "${PEM}" -noenc -batch
+
+cat >stunnel.conf <<EOF
+fips=no
+socket = r:TCP_NODELAY=1
+socket = a:TCP_NODELAY=1
+socket = l:TCP_NODELAY=1
+socket = r:SO_KEEPALIVE=1
+socket = a:SO_KEEPALIVE=1
+
+[test]
+accept = :::${STUNNEL_TLS_PORT}
+cert = ${PEM}
+connect = ${NGINX_PORT}
+ciphers = ${TLS_CIPHERS}
+options = CIPHER_SERVER_PREFERENCE
+sslVersion = ${TLS_PROTO}
+EOF
+
+truncate --size 1GiB "${RAMDIR}/1GiB"
+
+cat >nginx.conf <<EOF
+error_log stderr error;
+pid ${TESTDIR}/nginx.pid;
+daemon on;
+events { }
+http {
+    client_body_temp_path "${TESTDIR}/nginx-client_body";
+    proxy_temp_path "${TESTDIR}/nginx-proxy";
+    fastcgi_temp_path "${TESTDIR}/nginx-fcgi";
+    uwsgi_temp_path ${TESTDIR}/nginx-uwsgi";
+    scgi_temp_path ${TESTDIR}/nginx-scgi";
+    access_log off;
+    tcp_nodelay on;
+    sendfile on;
+    server {
+        gzip off;
+        listen "${NGINX_PORT}" reuseport;
+        listen "${NGINX_TLS_PORT}" reuseport ssl;
+        ssl_certificate "${PEM}";
+        ssl_certificate_key "${PEM}";
+        ssl_protocols "${TLS_PROTO}";
+        ssl_ciphers "${TLS_CIPHERS}";
+        root "${RAMDIR}";
+        location = /hello {
+            default_type text/plain;
+            return 200 "Hello";
+        }
+    }
+}
+EOF
+
+cat >hitch.conf <<EOF
+backend="[127.0.0.1]:${NGINX_PORT}"
+ciphers="${TLS_CIPHERS}"
+daemon=on
+frontend={
+    host="*"
+    port="${HITCH_TLS_PORT}"
+    pem-file="${PEM}"
+    prefer-server-ciphers=on
+    tls-protos=${TLS_PROTO}
+}
+EOF
+
+killall -v -9 stunnel nginx hitch socat || :
+
+# Start servers
+nginx -c "${TESTDIR}/nginx.conf"
+socat -b65536 "OPENSSL-LISTEN:${SOCAT_TLS_PORT},fork,reuseaddr,cert=${PEM},verify=0,cipher=${TLS_CIPHERS},compress=none,reuseport" "TCP4:127.0.0.1:${NGINX_PORT}" &
+stunnel "${TESTDIR}/stunnel.conf"
+hitch --config "${TESTDIR}/hitch.conf"
+
+DEST=${DEST:-127.0.0.1}
+
+# Start clients (they could also use a pipe, for simplicity use a local port)
+for PORT in ${NGINX_TLS_PORT} ${STUNNEL_TLS_PORT} ${HITCH_TLS_PORT} ${SOCAT_TLS_PORT}; do
+    PORT2=$(( "${PORT}" + 10000 ))
+    cat >"stunnel-client-${PORT}.conf" <<EOF
+        client=yes
+        foreground=no
+        socket=r:TCP_NODELAY=1
+        socket=r:SO_KEEPALIVE=1
+        socket=a:SO_KEEPALIVE=1
+        fips=no
+        connect=${DEST}:${PORT}
+        sslVersion=${TLS_PROTO}
+        ciphers=${TLS_CIPHERS}
+        [client-proxy]
+        accept=127.0.0.1:${PORT2}
+EOF
+    stunnel "${TESTDIR}/stunnel-client-${PORT}.conf"
+    PORT3=$(( ${PORT} + 20000 ))
+    socat -b65536 "TCP4-LISTEN:${PORT3},bind=127.0.0.1,reuseport" "OPENSSL:${DEST}:${PORT},cipher=${TLS_CIPHERS},verify=0"&
+done
+
+
+measure()
+{
+    echo
+    echo "curl --> ${1} ${2} ${3}" 
+    for i in $(seq "${REPEAT}"); do
+        curl -k -o /dev/null "${2}/1GiB" --write-out "%{url},%{scheme},%{http_code},%{size_download},%{speed_download},%{time_pretransfer},%{time_total}\n"
+    done
+    echo
+}
+
+measure "nginx" "http://${DEST}:${NGINX_PORT}" ""
+
+NGINX_URL="http://127.0.0.1:${NGINX_PORT}"
+
+measure "nginx-ssl" "https://${DEST}:${NGINX_TLS_PORT}" ""
+
+measure "stunnel" "https://${DEST}:${STUNNEL_TLS_PORT}" "-> nginx ${NGINX_URL}"
+measure "hitch" "https://${DEST}:${HITCH_TLS_PORT}" "-> nginx ${NGINX_URL}"
+measure "socat" "https://${DEST}:${SOCAT_TLS_PORT}" "-> nginx ${NGINX_URL}"
+
+measure "stunnel(client)" "http://127.0.0.1:1${STUNNEL_TLS_PORT}" "-> stunnel https://${DEST}:${STUNNEL_TLS_PORT} -> nginx ${NGINX_URL}"
+measure "stunnel(client)" "http://127.0.0.1:1${HITCH_TLS_PORT}" "-> hitch https://${DEST}:${HITCH_TLS_PORT} -> nginx ${NGINX_URL}"
+measure "stunnel(client)" "http://127.0.0.1:1${SOCAT_TLS_PORT}" "-> socat https://${DEST}:${SOCAT_TLS_PORT} -> nginx ${NGINX_URL}"
