Performance issue with HTTPS / TLS when high concurrency

Traefik Traefik v2 (latest)
1

Hello !

I am doing some benchmark of my application behind Traefik, and it looks like I have very poor performance regarding concurrency with TLS.

I am doing 128 simultaneous requests to my API and have the following results (time for the whole test) :

  • Hitting directly the backend: 0.4s
  • Hitting through traefik in HTTP: 0.5s
  • Hitting through traefik in HTTPS: 4.5s

When doing the test, using HTTPS consume 180% of the CPU. The server behind is not a warmachine (2 vCore and 8Gb RAM), but still.

Everything is in Docker (traefik and the backend).

I use Traefik v2.4.8

My TLS Options are:

[tls.options]
  [tls.options.default]
    minVersion = "VersionTLS12"
    curvePreferences = [
      "CurveP521",
      "CurveP384",
    ]
    sniStrict = true

Is there any thing I can do to improve this ?

2

Hello @Blusky,

One of the interesting features of Elliptic Curve Cryptography is that the computation time (including the required entropy) is roughly linear to the key size used. This means that using P521 will take roughly double the time that P384 will.

I assume that you are choosing these very strong curves due to the importance of your connections, however there is a tradeoff of performance for security.

A simple test would be to remove the curvePreferences, and allow the system to auto-negotiate a cipher suite. You could also set an AES-256 cipher suite such as TLS_RSA_WITH_AES_256_GCM_SHA384, and see how the system performs. This should give you an idea of how TLS would work under normal situations.

If using auto-negotiated suites performs well, then you will have to decide if the cost of higher crypto is worth it to you.