主页 / server / 问题 / 1141176
Accepted
MeSo2
Asked: 2023-08-10 06:05:29 +0800 CST

Windows 上的 Apache 2.4 响应初始第一个请求的速度很慢

  • 772

我开始在我的网站https://www.filmfix.com/en/home/上提供预压缩的 Brotli 文件。他们工作; 但从那时起,Apache 在所有VirtualHost 设置中都出现了响应问题(不仅仅是VirtualHost专门为这些预压缩的静态 HTML 文件提供服务。)

如果我在初始(非常慢)加载后立即单击,它通常会保持响应(或者如果我刚刚重新启动 Apache)——但如果我稍等一下,它就会停止响应。重新连接可能需要 7 秒到 45 秒的时间。有时它甚至会使浏览器超时,等待连​​接。

可能是什么原因造成的;我该如何解决它?

我的https://www.webpagetest.org结果如下所示。 网页测试.org 结果

我确实希望这与我不久前的问题无关:内部网络断开连接

我在stackoverflow.com上发现了一个类似的问题,这给了我更多的想法,但没有任何解决办法。

或者这可能是我自己造成的?我正在处理来自三个不同域名的 18 个异步调用批次,生成 HTML 页面,这些页面被最小化、预压缩并推送到其他服务器。CPU 徘徊在 80% 左右。难道是我超载了Apache?我们正在处理大约 5,000 页。

CPU使用率

来自我的 httpd-default.conf 文件

Timeout 300
KeepAlive On
MaxKeepAliveRequests 1000
KeepAliveTimeout 40

# reqtimeout module is disabled
#<IfModule reqtimeout_module>
#  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
#</IfModule>

以下是我观察到的不同浏览器症状:

Chrome 计时初始连接/SSL

...以及当连接挂起时我读到的内容:

(无信息)

镀铬计时

Microsoft Edge 瀑布

...以及当连接挂起时我读到的内容:

建立安全连接...

微软边缘

FireFox 计时被阻止

...以及当连接挂起时我读到的内容:

与(我的 static.sub 域名)执行 TLS 握手

或者

从 connect.facebook.net 传输数据

FireFox 计时被阻止

我发现有时阻塞时间与 TLS 设置时间一样长:

TLS 设置时间

我的设置

服务器:Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/8.1.10,我有 48GB 可用 RAM,CPU 是 i7-8700 @ 3.20GHz。

我的 DNS TTL 设置为 3 小时,因为我即将将文件重新定位到不同的服务器。

我的 httpd-ssl.conf 文件

SSLSessionCacheTimeout  300
SSLUseStapling Off
HostnameLookups Off
EnableSendfile Off 
EnableMMAP Off

<VirtualHost *:443>
    Protocols h2 h2c http/1.1
    ...
    SSLEngine on
    ...
    SSLHonorCipherOrder on
    SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 
    SSLCipherSuite ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
</VirtualHost>

我尝试设置<VirtualHost *:443><VirtualHost 0.0.0.0:443>(我仅使用 IPv4),但这没有帮助。

我关闭了防火墙以查看是否与防火墙相关,但事实并非如此。

运行这个

openssl s_client -connect www.filmfix.com:443 -status -servername www.filmfix.com

返回这个

CONNECTED(000001B8)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.my_domainname_dot_com
verify return:1
OCSP response: no response sent
---
Certificate chain
 0 s:CN = *.my_domainname_dot_com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
  ...
-----END CERTIFICATE-----
subject=CN = *.my_domainname_dot_com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5026 bytes and written 406 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3D6884662...
    Session-ID-ctx:
    Resumption PSK: 5EA6E2B7D...
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 ... 3i.

    Start Time: 1691621025
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9BFE3...
    Session-ID-ctx:
    Resumption PSK: 38FFBF004D...
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a9 01 cb ...   a2 40   ....)..d...!.4.@

    Start Time: 1691621025
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

httpd -D DUMP_RUN_CFG

C:\64bit\Apache24\bin>httpd -D DUMP_RUN_CFG
ServerRoot: "C:/64bit/Apache24"
Main DocumentRoot: "C:/64bit/htdocs"
Main ErrorLog: "E:/log-files/apache/error_.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="C:/64bit/Apache24/logs/" mechanism=default
PidFile: "C:/64bit/Apache24/logs/httpd.pid"
Define: DUMP_RUN_CFG

任何帮助将非常感激。

谢谢。

ssl

1 个回答

  1. Best Answer

    我正在祈祷。

    我更新了 Apache——从 2.4.39 更新到 2.4.57。

    为此,我必须首先确保 Visual C++ Redistributable 已更新:

    您必须首先安装 Visual C++ Redistributable for Visual Studio 2015-2022 x64。

    下载并安装,如果您还没有这样做,请参阅:

    https://www.apachelounge.com/download/

    运行更新我进行了修复,然后更新了 Apache。

    使用与以前相同的 Apache 配置文件,该网站的外观和行为有点不同,希望我的初始连接速度问题能够自行解决。

    我还添加了默认索引文件

    DirectoryIndex static_html/com___en___home.min.html.br

    如果一切顺利,更新让我可以考虑使用 HTTP/3。ChatGTP 建议:

    截至 2021 年 9 月的最后一次更新,由于缺乏预编译包,与其他一些平台相比,在 Windows 上的 Apache 中启用 HTTP/3 支持需要更多的手动工作。以下是有关如何mod_http3在 Windows 上安装和启用 Apache 模块的一般指南:

    1. 下载所需软件

    2. 下载并构建 libnghttp2

      • Download the latest stable release of libnghttp2 from https://github.com/nghttp2/nghttp2/releases.
      • Extract the downloaded archive to a directory.
      • Open the "Command Prompt for Visual Studio" from the Start menu.
      • Navigate to the directory where you extracted libnghttp2.
      • Run the following commands to build libnghttp2: 
        mkdir build
cd build
cmake -G "NMake Makefiles" ..
nmake
nmake install

    3. Download and Build Apache with HTTP/3 Support:

      • Download the Apache source code from https://httpd.apache.org/download.cgi.
      • Extract the downloaded archive to a directory.
      • Navigate to the srclib directory within the extracted Apache source directory.
      • Clone the quiche repository using Git: 
        git clone --recursive https://github.com/cloudflare/quiche
      • Rename the quiche directory to quic: 
        move quiche quic
      • Navigate to the root directory of the Apache source code.
      • Run the following commands to build Apache with HTTP/3 support: 
        configure --enable-ssl --enable-http2 --with-openssl=path\to\openssl
nmake

    4. Configure and Enable mod_http3:

      • Once Apache is built, navigate to the modules directory within the Apache source directory.
      • Copy the mod_http3 module file (mod_http3.so) to your Apache modules directory.
      • Open your Apache configuration file (httpd.conf) in a text editor.
      • Add the following lines to enable and configure mod_http3: 
        LoadModule http3_module modules/mod_http3.so

# Enable HTTP/3
<IfModule http3_module>
    AddHttp3Protocol h3-23
</IfModule>

    5. Start Apache with HTTP/3 Support:

      • Start Apache by running httpd.exe from the bin directory of the built Apache.
      • You might need to adjust your firewall settings to allow Apache to listen on the required ports.

    请注意,此过程涉及从源代码构建 Apache 及其依赖项,这可能很复杂,并且可能需要熟悉软件开发工具。由于软件和程序可能会随着时间的推移而发生变化,因此我建议参考 Apache 官方文档和任何相关的在线资源,以获取最新的说明和指导。

    • 1

相关问题