HTTPS on Apache; Will it slow Apache?

Question

Our company runs a website which currently supports only http traffic. We plan to support https traffic too as some of the customers who link to our pages want us to support https traffic.

Our website gets moderate amount of traffic, but is expected to increase over time.

So my question is this:

Is it a good idea to make our website https only?(redirect all http traffic to https) Will this bring down the websites performance?

Has anyone done any sort of measurement?

PS: I am a developer who also doubles up as a apache admin.

Answer 1

Yes, it will impact performance, but it's usually not too bad compared to the running all the DB queries that go into the typical dymanically generated page.

Of course the real answer is: don't guess, benchmark it. Try it both ways and see the difference. You can use tools like siege and ab to simulate traffic.

Also, I think you may have more luck with this question over at http://www.serverfault.com/

Answer 2

Most webservers, unless severely underpowered, do not even use a fraction of the CPU power for serving up content. Most production servers I've seen are under 10%, even when using some SSL traffic. I think it would be best to see where your current CPU usage is at, and then do some of your own benchmarking to see how much extra CPU usage is used by an SSL request. I would guess it isn't that much.

Answer 3

Is it a good idea to make our website https only?(redirect all http traffic to https) Will this bring down the websites performance?

I'm not sure if you really mean all HTTP traffic or just page traffic. A lot of sites unnecessarily encrypt images, javascript and a bunch of other content that doesn't need to be hidden. This kind of content comprises most of the data transferred in a request so if you do find feel that HTTPs is taking too much out of the system you can recommend the programmers separate content that needs to be secured from the content that does not.

Answer 4

I wouldn't worry about the load on the server; unless you are serving high volumes of static content, the encryption itself won't create much of a burden, in my experience.

However, using SSL dramatically slows down web sites by creating a lot more latency in connection setup.

An encrypted session requires about* three times as much time to set up as an unencrypted one, and the exact time depends on the latency.

Even on low latency connections, it is noticeable to the end user, but on higher latency (e.g. different continents, especially Australasia where latency to America/Europe is quite high) it makes a dramatic difference and will severely impact the user experience.

There are things you can do to mitigate it, such as ensuring that keep-alives are on (But don't turn them on without understanding exactly what the impact is), minimising the number of requests and maximising the use of browser cache.

Using HTTPS also affects browser behaviour in some cases. Certain optimisations tend to get turned off for security reasons, and some web browsers don't store objects loaded over HTTPS in the disc cache, which means they'll need to get them again in a later session, further impacting the user experience.

* An estimate based on some informal measurement