diff --git a/bench-scripts/bench_config_apache.sh b/bench-scripts/bench_config_apache.sh index 60d74174..a1a10e8c 100755 --- a/bench-scripts/bench_config_apache.sh +++ b/bench-scripts/bench_config_apache.sh @@ -63,7 +63,6 @@ HOST=${BENCH_HOST:-'127.0.0.1'} APACHE_VERSION='2.4.65' . ./common_util.sh -. ./bench_config_haproxy.sh function install_wolfssl_for_apache { typeset VERSION=$1 diff --git a/bench-scripts/bench_config_haproxy.sh b/bench-scripts/bench_config_haproxy.sh index 9a7c70b0..43620ac7 100755 --- a/bench-scripts/bench_config_haproxy.sh +++ b/bench-scripts/bench_config_haproxy.sh @@ -10,18 +10,85 @@ set -x +. ./common_util.sh + INSTALL_ROOT=${BENCH_INSTALL_ROOT:-"/tmp/bench.binaries"} RESULT_DIR=${BENCH_RESULTS:-"${INSTALL_ROOT}/results"} WORKSPACE_ROOT=${BENCH_WORKSPACE_ROOT:-"/tmp/bench.workspace"} MAKE_OPTS=${BENCH_MAKE_OPTS} -HAPROXY_NOSSL_PORT='42128' -HAPROXY_C2P_PORT='42132' -HAPROXY_P2S_PORT='42134' -HAPROXY_C2S_PORT='42136' +HAPROXY_BUILD_TARG=${BENCH_HAPROXY_BUILD_TARG:-'linux-glibc'} CERT_SUBJ=${BENCH_CERT_SUBJ:-'/CN=localhost'} CERT_ALT_SUBJ=${BENCH_CERT_ALT_SUBJ:-'subjectAltName=DNS:localhost,IP:127.0.0.1'} HOST=${BENCH_HOST:-'127.0.0.1'} +HTTPTERM_HOST=${BENCH_HTTPTERM_HOST:-${HOST}} +HTTPTERM_PORT=${BENCH_HTTPTERM_PORT:-9999} +PORT_RSA_REUSE=${BENCH_PORT_RSA_REUSE:-10000} +PORT_RSA=${BENCH_PORT_RSA:-10100} +PORT_EC_REUSE=${BENCH_PORT_EC_REUSE:-10200} +PORT_EC=${BENCH_PORT_EC:-10300} HAPROXY_VERSION='v3.2.0' +CERT_SUBJ=${BENCH_CERT_SUBJ:-'/CN=localhost'} +CERT_ALT_SUBJ=${BENCH_CERT_ALT_SUBJ:-'subjectAltName=DNS:localhost,IP:127.0.0.1'} +PROXY_CHAIN=${BENCH_PROXY_CHAIN:-21} +HOST=${BENCH_HOST:-'127.0.0.1'} + +function install_httpterm { + typeset SSL_LIB=$1 + typeset HTTPTERM_REPO="https://github.com/wtarreau/httpterm" + typeset BASENAME='httpterm' + typeset DIRNAME="${BASENAME}" + typeset SSL_CFLAGS='' + typeset SSL_LFLAGS='' + + if [[ -z "${SSL_LIB}" ]] ; then + SSL_LIB="openssl-master" + fi + + cd "${WORKSPACE_ROOT}" || exit 1 + git clone "${HTTPTERM_REPO}" "${DIRNAME}" || exit 1 + cd ${DIRNAME} || exit 1 + make || exit 1 + install httpterm "${INSTALL_ROOT}/${SSL_LIB}/bin/httpterm" || exit 1 +} + +function install_h1load { + typeset SSL_LIB=$1 + typeset H1LOAD_REPO="https://github.com/sashan/h1load" + typeset BASENAME='h1load' + typeset DIRNAME="${BASENAME}" + typeset SSL_CFLAGS='' + typeset SSL_LFLAGS='' + + if [[ -z "${SSL_LIB}" ]] ; then + SSL_LIB="openssl-master" + fi + + echo $SSL_LIB | grep 'wolfssl' > /dev/null + if [[ $? -eq 0 ]] ; then + # + # adjust flags for wolfssl + # + SSL_CFLAGS="-I${INSTALL_ROOT}/${SSL_LIB}/include/wolfssl" + SSL_CFLAGS="${SSL_CFLAGS} -I${INSTALL_ROOT}/${SSL_LIB}/include" + SSL_CFLAGS="${SSL_CFLAGS} -include ${INSTALL_ROOT}/${SSL_LIB}/include/wolfssl/options.h" + SSL_LFLAGS="-L ${INSTALL_ROOT}/${SSL_LIB}/lib -lwolfssl -Wl,-rpath=${INSTALL_ROOT}/lib" + else + SSL_CFLAGS="-I${INSTALL_ROOT}/${SSL_LIB}/include" + SSL_LFLAGS="-L ${INSTALL_ROOT}/${SSL_LIB}/lib -lssl -lcrypto" + fi + # + # this fork adds -u option to keep time as uptime + # + cd "${WORKSPACE_ROOT}" || exit 1 + git clone -b float "${H1LOAD_REPO}" "${DIRNAME}" || exit 1 + cd ${DIRNAME} || exit 1 + make SSL_CFLAGS="${SSL_CFLAGS}" SSL_LFLAGS="${SSL_LFLAGS}" || exit 1 + install h1load "${INSTALL_ROOT}/${SSL_LIB}/bin/h1load" || exit 1 + cd scripts + for i in *.sh ; do + install $i "${INSTALL_ROOT}/${SSL_LIB}/bin/$i" || exit 1 + done +} function install_haproxy { typeset SSL_LIB=$1 @@ -29,16 +96,25 @@ function install_haproxy { typeset HAPROXY_REPO="https://github.com/haproxy/haproxy.git" typeset BASENAME='haproxy' typeset DIRNAME="${BASENAME}-${VERSION}" - typeset CERTDIR="${INSTALL_ROOT}/${SSL_LIB}/conf/certs" + typeset USE_LIB='' if [[ -z "${SSL_LIB}" ]] ; then SSL_LIB="openssl-master" fi + case ${SSL_LIB} in + wolf*) + USE_LIB='USE_OPENSSL_WOLFSSL=1' + ;; + *) + USE_LIB='USE_OPENSSL=1' + ;; + esac + if [[ -f "${INSTALL_ROOT}/${SSL_LIB}/sbin/haproxy" ]] ; then echo "haproxy already installed; skipping.." else - cd "${WORKSPACE_ROOT}" + cd "${WORKSPACE_ROOT}" || exit 1 mkdir -p "${DIRNAME}" || exit 1 cd "${DIRNAME}" git clone "${HAPROXY_REPO}" -b ${VERSION} --depth 1 . || exit 1 @@ -46,8 +122,9 @@ function install_haproxy { # haproxy does not have a configure script; only a big makefile make clean make ${MAKE_OPTS} \ - TARGET=generic \ - USE_OPENSSL=1 \ + TARGET=${HAPROXY_BUILD_TARG} \ + ${USE_LIB} \ + USE_OPENSSL=USE_QUIC \ SSL_INC="${INSTALL_ROOT}/${SSL_LIB}/include" \ SSL_LIB="${INSTALL_ROOT}/${SSL_LIB}/lib" || exit 1 @@ -55,81 +132,197 @@ function install_haproxy { PREFIX="${INSTALL_ROOT}/${SSL_LIB}" || exit 1 fi - mkdir -p ${CERTDIR} - - # now generate the certificates - echo "generating new certificates for haproxy" - OPENSSL_BIN="env LD_LIBRARY_PATH=${INSTALL_ROOT}/${SSL_LIB}/lib ${INSTALL_ROOT}/${SSL_LIB}/bin/openssl" - - # generating the key, cert of ca - $OPENSSL_BIN genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out "${CERTDIR}/ca_key.pem" || exit 1 - $OPENSSL_BIN req -new -x509 -days 1 -key "${CERTDIR}/ca_key.pem" -out "${CERTDIR}/ca_cert.pem" -subj "/CN=Root CA" \ - -addext "basicConstraints=critical,CA:true" \ - -addext "keyUsage=critical,keyCertSign,cRLSign" || exit 1 - - # generating the client side - $OPENSSL_BIN genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out "${CERTDIR}/client_key.pem" || exit 1 - $OPENSSL_BIN pkey -in "${CERTDIR}/client_key.pem" -pubout -out "${CERTDIR}/client_key_pub.pem" || exit 1 - $OPENSSL_BIN req -new -out "${CERTDIR}/client_csr.pem" -subj "/CN=${HOST}" -key "${CERTDIR}/client_key.pem" \ - -addext "${CERT_ALT_SUBJ}" \ - -addext "keyUsage=critical,digitalSignature" || exit 1 - $OPENSSL_BIN x509 -req -out "${CERTDIR}/client_cert.pem" -CAkey "${CERTDIR}/ca_key.pem" -CA "${CERTDIR}/ca_cert.pem" \ - -days 1 -in "${CERTDIR}/client_csr.pem" -copy_extensions copy -ext "subjectAltName,keyUsage" \ - -extfile <(printf "basicConstraints=critical,CA:false\nsubjectKeyIdentifier=none\n") || exit 1 - - # generating the server side - $OPENSSL_BIN genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out "${CERTDIR}/server_key.pem" || exit 1 - $OPENSSL_BIN pkey -in "${CERTDIR}/server_key.pem" -pubout -out "${CERTDIR}/server_key_pub.pem" || exit 1 - $OPENSSL_BIN req -new -out "${CERTDIR}/server_csr.pem" -subj "/CN=${HOST}" -key "${CERTDIR}/server_key.pem" \ - -addext "${CERT_ALT_SUBJ}" \ - -addext "keyUsage=critical,digitalSignature" || exit 1 - $OPENSSL_BIN x509 -req -out "${CERTDIR}/server_cert.pem" -CAkey "${CERTDIR}/ca_key.pem" -CA "${CERTDIR}/ca_cert.pem" \ - -days 1 -in "${CERTDIR}/server_csr.pem" -copy_extensions copy -ext "subjectAltName,keyUsage" \ - -extfile <(printf "subjectKeyIdentifier=none\n" - printf "${CERT_ALT_SUBJ}\n" - printf "basicConstraints=critical,CA:false\n" - printf "keyUsage=critical,keyEncipherment\n") || exit 1 - - # HAProxy PEM must be: server cert + server key (+ chain) - cat "${CERTDIR}/server_cert.pem" "${CERTDIR}/server_key.pem" "${CERTDIR}/ca_cert.pem" > "${CERTDIR}/haproxy_server.pem" - - # setting up SSL Termination mode for now - # haproxy modes: encoding from client to haproxy, to server from haproxy, both - # the first needs a non TLS connection to the server - use the HTTP_PORT, otherwise use the HTTPS_PORT - cat < "${INSTALL_ROOT}/${SSL_LIB}/conf/haproxy.cfg" -defaults - timeout server 10s - timeout client 10s - timeout connect 10s - -frontend test_no_ssl - mode http - bind :${HAPROXY_NOSSL_PORT} - default_backend http_test - -frontend test_client2proxy - mode http - bind :${HAPROXY_C2P_PORT} ssl crt ${CERTDIR}/haproxy_server.pem ca-file ${CERTDIR}/ca_cert.pem verify required - default_backend http_test - -frontend test_proxy2server - mode http - bind :${HAPROXY_P2S_PORT} - default_backend https_test - -frontend test_client2server - mode http - bind :${HAPROXY_C2S_PORT} ssl crt ${CERTDIR}/haproxy_server.pem ca-file ${CERTDIR}/ca_cert.pem verify required - default_backend https_test - -backend http_test - mode http - balance random - server s1 ${HOST}:${HTTP_PORT} - -backend https_test - mode http - balance random - server s2 ${HOST}:${HTTPS_PORT} ssl verify required ca-file ${INSTALL_ROOT}/${SSL_LIB}/conf/server.crt + cd ${WORKSPACE_ROOT} +} + +# +# function creates haproxy.conf which ishould be +# identical to configuration used here [1]. +# +# The configuration file defines 4 proxy variants: +# ssl-reause with rsa+dh certificate, +# https client connects to port 7020 +# +# no-ssl-reuse, with rsa+dh certificate, +# https client connects to port 7120 +# +# ssl-reuse with ecdsa-256 certificate, +# https client connects to port 7220 +# +# no-ssl-reuse with ecdsa-256 certificate, +# https client connects to port 7320 +# +# [1] https://www.haproxy.com/blog/state-of-ssl-stacks +# search for 'daisy-chain' +# +function config_haproxy { + typeset SSL_LIB=$1 + typeset RSACERTKEY='' + typeset ECCERTKEY='' + typeset HAPROXY_CONF='etc/haproxy.conf' + typeset BASEPORT='' + typeset TOPPORT='' + typeset PORT='' + typeset SSL_REUSE='' + typeset REUSE_LABEL='' + typeset HAPROXY_SERVER='http-request return status 200 content-type "text/plain" string "it works"' + typeset HTTPTERM_SERVER="server next ${HTTPTERM_HOST}:${HTTPTERM_PORT}" + typeset SERVER='' + + if [[ -z "${SSL_LIB}" ]] ; then + SSL_LIB='openssl-=master' + fi + + mkdir -p ${INSTALL_ROOT}/${SSL_LIB}/etc || exit 1 + HAPROXY_CONF=${INSTALL_ROOT}/${SSL_LIB}/${HAPROXY_CONF} + RSACERTKEY=${INSTALL_ROOT}/${SSL_LIB}/etc/dh-rsa-2048.pem + ECCERTKEY=${INSTALL_ROOT}/${SSL_LIB}/etc/ec-dsa-256.pem + +cat < ${HAPROXY_CONF} +global + default-path config + tune.listener.default-shards by-thread + tune.idle-pool.shared off + ssl-default-bind-options ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 + ssl-server-verify none + EOF + for i in `seq 2` ; do + if [[ ${i} -eq 1 ]] ; then + SERVER=${HAPROXY_SERVER} + else + SERVER=${HTTPTERM_SERVER} + PORT_RSA_REUSE=$(( ${PORT_RSA_REUSE} + 1000)) + PORT_RSA=$(( ${PORT_RSA} + 1000)) + PORT_EC_REUSE=$(( ${PORT_EC_REUSE} + 1000)) + PORT_EC=$(( ${PORT_EC} + 1000)) + fi + for BASEPORT in ${PORT_RSA_REUSE} ${PORT_RSA} ${PORT_EC_REUSE} ${PORT_EC} ; do + if [[ ${BASEPORT} -eq ${PORT_RSA_REUSE} || ${BASEPORT} -eq ${PORT_RSA} ]] ; then + PROXYCERT=${RSACERTKEY} + else + PROXYCERT=${ECCERTKEY} + fi + if [[ ${BASEPORT} -eq ${PORT_RSA_REUSE} || ${BASEPORT} -eq ${PORT_EC_REUSE} ]] ; then + SSL_REUSE='' + REUSE_LABEL='ssl-reuse' + else + SSL_REUSE='no-ssl-reuse' + REUSE_LABEL='no-ssl-reuse' + fi +cat <> ${HAPROXY_CONF} +defaults ${REUSE_LABEL} + mode http + http-reuse never + default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 ${SSL_REUSE} + option httpclose + timeout client 10s + timeout server 10s + timeout connect 10s + +frontend port${BASEPORT} + bind :${BASEPORT} ssl crt ${PROXYCERT} + http-request return status 200 content-type "text/plain" string "it works" + +EOF + BASEPORT=$(( ${BASEPORT} + 1)) + TOPPORT=$(( ${BASEPORT} + ${PROXY_CHAIN} - 1 )) +cat <> ${HAPROXY_CONF} +listen port${BASEPORT} + bind :${BASEPORT} ssl crt ${PROXYCERT} + stats uri /stats + server next ${HOST}:$(( ${BASEPORT} - 1)) + +EOF + + BASEPORT=$(( ${BASEPORT} + 1)) + for PORT in $(seq ${BASEPORT} ${TOPPORT}) ; do +cat <> ${HAPROXY_CONF} +listen port${PORT} + bind :${PORT} ssl crt ${PROXYCERT} + server next ${HOST}:$(( ${PORT} - 1)) + +EOF + done + done + done + gen_certkey ${RSACERTKEY} ${RSACERTKEY}.key + gen_certkey_ec ${ECCERTKEY} ${ECCERTKEY}.key + cd ${WORKSPACE_ROOT} || exit 1 +} + +function setup_tests { + typeset i=0 + cd "${WORKSPACE_ROOT}" + install_openssl master + install_haproxy openssl-master + install_httpterm openssl-master + install_h1load openssl-master + install_siege openssl-master + config_haproxy openssl-master + clean_build + + for i in 3.0 3.1 3.2 3.3 3.4 3.5 3.6 ; do + cd "${WORKSPACE_ROOT}" + install_openssl openssl-$i + install_haproxy openssl-$i + install_httpterm openssl-$i + install_h1load openssl-$i + install_siege openssl-$i + config_haproxy openssl-$i + clean_build + done + + cd "${WORKSPACE_ROOT}" + install_openssl OpenSSL_1_1_1-stable + install_haproxy OpenSSL_1_1_1-stable + install_httpterm OpenSSL_1_1_1-stable + install_h1load OpenSSL_1_1_1-stable + install_siege OpenSSL_1_1_1-stable + config_haproxy OpenSSL_1_1_1-stable + clean_build + + cd "${WORKSPACE_ROOT}" + install_wolfssl 5.8.2 '--enable-haproxy --enable-quic' + install_haproxy wolfssl-5.8.2 + install_httpterm wolfssl-5.8.2 + install_h1load wolfssl-5.8.2 + install_siege wolfssl-5.8.2 + config_haproxy wolfssl-5.8.2 + clean_build + + cd "${WORKSPACE_ROOT}" + install_libressl 4.1.0 + install_haproxy libressl-4.1.0 + install_httpterm libressl-4.1.0 + install_h1load libressl-4.1.0 + install_siege libressl-4.1.0 + config_haproxy libressl-4.1.0 + clean_build + + # + # does not build with boring + # + #install_boringssl + #install_haproxy boringssl + #install_httpterm boringssl + #install_h1load boringssl + #config_haproxy boringssl + #cd "${WORKSPACE_ROOT}" + #clean_build + + cd "${WORKSPACE_ROOT}" + install_aws_lc + install_haproxy aws-lc + install_httpterm aws-lc + install_h1load aws-lc + # + # siege does not build for aws-lc due to missing RYPTO_thread_id() + # + #install_siege aws-lc + config_haproxy aws-lc + clean_build aws-lc } + +check_env +setup_tests diff --git a/bench-scripts/bench_run_apache.sh b/bench-scripts/bench_run_apache.sh index dd48dee8..29cda3b5 100755 --- a/bench-scripts/bench_run_apache.sh +++ b/bench-scripts/bench_run_apache.sh @@ -61,7 +61,6 @@ CERT_ALT_SUBJ=${BENCH_CERT_ALT_SUBJ:-'subjectAltName=DNS:localhost,IP:127.0.0.1' TEST_TIME=${BENCH_TEST_TIME:-'5M'} HOST=${BENCH_HOST:-'127.0.0.1'} APACHE_VERSION='2.4.65' -HAPROXY='no' . ./common_util.sh . ./bench_run_haproxy.sh @@ -97,16 +96,12 @@ function enable_mpm { function run_test { typeset SSL_LIB=$1 - typeset HAPROXY=$2 typeset i=0 typeset PORT=${HTTPS_PORT} typeset PROTOCOL="https" if [[ -z "${SSL_LIB}" ]] ; then SSL_LIB='openssl-master' fi - if [[ -z "${HAPROXY}" ]] ; then - HAPROXY='no' - fi typeset RESULTS="${SSL_LIB}".txt if [[ "${SSL_LIB}" = 'nossl' ]] ; then SSL_LIB='openssl-master' @@ -114,9 +109,6 @@ function run_test { PORT=${HTTP_PORT} PROTOCOL="http" fi - if [[ "${HAPROXY}" != 'no' ]] ; then - RESULTS="haproxy-${SSL_LIB}-${HAPROXY}.txt" - fi typeset HTDOCS="${INSTALL_ROOT}/${SSL_LIB}"/htdocs typeset SIEGE="${INSTALL_ROOT}"/openssl-master/bin/siege @@ -145,23 +137,9 @@ function run_test { # rm -f siege_urls.txt for i in `ls -1 ${HTDOCS}/*.txt` ; do - if [[ "${HAPROXY}" = "no" ]] ; then - echo "${PROTOCOL}://${HOST}:${PORT}/`basename $i`" >> siege_urls.txt - elif [[ "${HAPROXY}" = "no-ssl" ]] ; then - echo "http://${HOST}:${HAPROXY_NOSSL_PORT}/`basename $i`" >> siege_urls.txt - elif [[ "${HAPROXY}" = "server" ]] ; then - echo "https://${HOST}:${HAPROXY_C2P_PORT}/`basename $i`" >> siege_urls.txt - elif [[ "${HAPROXY}" = "client" ]] ; then - echo "http://${HOST}:${HAPROXY_P2S_PORT}/`basename $i`" >> siege_urls.txt - elif [[ "${HAPROXY}" = "both" ]] ; then - echo "https://${HOST}:${HAPROXY_C2S_PORT}/`basename $i`" >> siege_urls.txt - fi + echo "${PROTOCOL}://${HOST}:${PORT}/`basename $i`" >> siege_urls.txt done - if [[ "${HAPROXY}" = "server" ]] || [[ "${HAPROXY}" = "both" ]] ; then - conf_siege_haproxy_cert $SSL_LIB - fi - # # start apache httpd server # @@ -200,44 +178,32 @@ function run_test { ${RESULT_DIR}/httpd-${SSL_LIB}.conf cp ${INSTALL_ROOT}/${SSL_LIB}/conf/extra/httpd-ssl.conf \ ${RESULT_DIR}/httpd-ssl-${SSL_LIB}.conf - - if [[ "${HAPROXY}" = "server" ]] || [[ "${HAPROXY}" = "both" ]] ; then - unconf_siege_haproxy_cert - fi } function run_tests { typeset SAVE_RESULT_DIR="${RESULT_DIR}" - typeset HAPROXY_OPTIONS=('no' 'client' 'server' 'both') - typeset mode="" + typeset MODE="" typeset i="" - for mode in event worker prefork ; do - mkdir -p ${SAVE_RESULT_DIR}/${mode} || exit 1 + for MODE in event worker prefork ; do + mkdir -p ${SAVE_RESULT_DIR}/${MODE} || exit 1 - enable_mpm ${mode} - RESULT_DIR="${SAVE_RESULT_DIR}/${mode}" + enable_mpm ${MODE} + RESULT_DIR="${SAVE_RESULT_DIR}/${MODE}" run_test nossl - run_haproxy - run_test nossl 'no-ssl' - kill_haproxy for i in 3.0 3.1 3.2 3.3 3.4 3.5 3.6 master ; do - enable_mpm ${mode} openssl-${i} - run_haproxy openssl-${i} - for OPTION in ${HAPROXY_OPTIONS[@]} ; do - run_test openssl-${i} ${OPTION} - done - kill_haproxy + enable_mpm ${MODE} openssl-${i} + run_test openssl-${i} ${OPTION} done - enable_mpm ${mode} OpenSSL_1_1_1-stable + enable_mpm ${MODE} OpenSSL_1_1_1-stable run_test OpenSSL_1_1_1-stable - enable_mpm ${mode} libressl-4.1.0 + enable_mpm ${MODE} libressl-4.1.0 run_test libressl-4.1.0 - #enable_mpm ${mode} wolfssl-5.8.2 + #enable_mpm ${MODE} wolfssl-5.8.2 #run_test wolfssl-5.8.2 - enable_mpm ${mode} boringssl + enable_mpm ${MODE} boringssl run_test boringssl - enable_mpm ${mode} aws-lc + enable_mpm ${MODE} aws-lc run_test aws-lc done @@ -247,8 +213,8 @@ function run_tests { check_env run_tests SAVE_RESULT_DIR=${RESULT_DIR} -for mode in event worker prefork ; do - RESULT_DIR=${SAVE_RESULT_DIR}/${mode} +for MODE in event worker prefork ; do + RESULT_DIR=${SAVE_RESULT_DIR}/${MODE} plot_results done RESULT_DIR=${SAVE_RESULT_DIR} diff --git a/bench-scripts/bench_run_haproxy.sh b/bench-scripts/bench_run_haproxy.sh index 940aa58d..8a79cbb2 100755 --- a/bench-scripts/bench_run_haproxy.sh +++ b/bench-scripts/bench_run_haproxy.sh @@ -11,15 +11,22 @@ set -x INSTALL_ROOT=${BENCH_INSTALL_ROOT:-"/tmp/bench.binaries"} -WORKSPACE_ROOT=${BENCH_WORKSPACE_ROOT:-"/tmp/bench.workspace"} -HAPROXY_NOSSL_PORT='42128' -HAPROXY_C2P_PORT='42132' -HAPROXY_P2S_PORT='42134' -HAPROXY_C2S_PORT='42136' +RESULT_DIR=${BENCH_RESULTS:-"${INSTALL_ROOT}/results"} +PORT_RSA_REUSE=${BENCH_PORT_RSA_REUSE:-10000} +PORT_RSA=${BENCH_PORT_RSA:-10100} +SIEGE_PORT_RSA=$(( ${PORT_RSA} + 2000 )) +PORT_EC_REUSE=${BENCH_PORT_EC_REUSE:-10200} +PORT_EC=${BENCH_PORT_EC:-10300} +SIEGE_PORT_EC=$(( ${PORT_EC} + 1000 )) +HOST=${BENCH_HOST:-'127.0.0.1'} CERT_SUBJ=${BENCH_CERT_SUBJ:-'/CN=localhost'} CERT_ALT_SUBJ=${BENCH_CERT_ALT_SUBJ:-'subjectAltName=DNS:localhost,IP:127.0.0.1'} HOST=${BENCH_HOST:-'127.0.0.1'} +HTTPTERM_HOST=${BENCH_HTTPTERM_HOST:-${HOST}} +HTTPTERM_PORT=${BENCH_HTTPTERM_PORT:-9999} +PROXY_CHAIN=${BENCH_PROXY_CHAIN:-21} HAPROXY_VERSION='v3.2.0' +TEST_TIME=${BENCH_TEST_TIME:-'10'} # # Starts haproxy based on the configuration that was done beforehand calling @@ -27,50 +34,147 @@ HAPROXY_VERSION='v3.2.0' # function run_haproxy { typeset SSL_LIB=$1 + typeset HAPPIDFILE=$2 if [[ -z "${SSL_LIB}" ]] ; then SSL_LIB="openssl-master" fi typeset OPENSSL_DIR="${INSTALL_ROOT}/${SSL_LIB}" + typeset HAPROXY="${OPENSSL_DIR}"/sbin/haproxy - LD_LIBRARY_PATH="${OPENSSL_DIR}/lib:${LD_LIBRARY_PATH}" "${OPENSSL_DIR}/sbin/haproxy" -f "${OPENSSL_DIR}/conf/haproxy.cfg" -D + LD_LIBRARY_PATH="${OPENSSL_DIR}/lib" "${HAPROXY}" \ + -f "${OPENSSL_DIR}/etc/haproxy.conf" \ + -p ${HAPPIDFILE} \ + -D if [[ $? -ne 0 ]] ; then echo "could not start haproxy" exit 1 fi } -# -# Configures the client (siege) to run with haproxy modes server and both. -# Those modes require the client to have the haproxy certificates. -# -function conf_siege_haproxy_cert { +function run_httpterm { typeset SSL_LIB=$1 + typeset HTTPTERMPIDFILE=$2 if [[ -z "${SSL_LIB}" ]] ; then SSL_LIB="openssl-master" fi typeset OPENSSL_DIR="${INSTALL_ROOT}/${SSL_LIB}" - # siege is currently installed only with openssl-master - typeset SIEGE_CONF="${INSTALL_ROOT}/openssl-master/etc/siegerc" - # configure siege to use haproxy - if [[ ! -f "${SIEGE_CONF}" ]] ; then - echo "Did not found siegerc. Siege should be installed first." - exit 1 - fi - echo "#haproxy" >> "${SIEGE_CONF}" - echo "ssl-cert = ${OPENSSL_DIR}/conf/certs/client_cert.pem" >> "${SIEGE_CONF}" - echo "ssl-key = ${OPENSSL_DIR}/conf/certs/client_key.pem" >> "${SIEGE_CONF}" + typeset HTTPTERM="${OPENSSL_DIR}"/bin/httpterm + + LD_LIBRARY_PATH="${OPENSSL_DIR}/lib" "${HTTPTERM}" \ + -p ${HTTPTERMPIDFILE} \ + -L ${HTTPTERM_HOST}:${HTTPTERM_PORT} \ + -D + if [[ $? -ne 0 ]] ; then + echo "could not start httpterm" + exit 1 + fi } -# -# Clears the haproxy certificates from the siege client config. -# -function unconf_siege_haproxy_cert { - typeset SIEGE_CONF="${INSTALL_ROOT}/openssl-master/etc/siegerc" +function kill_daemon { + typeset PIDFILE=$1 + + kill -TERM `cat ${PIDFILE}` + rm -f ${PIDFILE} +} + +function run_test { + typeset SSL_LIB=$1 + typeset THREAD_COUNT=$2 + typeset OPENSSL_DIR=${INSTALL_ROOT}/${SSL_LIB} + typeset H1LOAD=${OPENSSL_DIR}/bin/h1load + typeset SIEGE=${OPENSSL_DIR}/bin/siege + typeset BASE_URL="https://${HOST}:" + typeset RESULT='' + typeset HAPPIDFILE=${OPENSSL_DIR}/haproxy.pid + typeset HTTPTERMPIDFILE=${OPENSSL_DIR}/httpterm.pid + typeset PORT='' + + run_haproxy ${SSL_LIB} ${HAPPIDFILE} + run_httpterm ${SSL_LIB} ${HTTPTERMPIDFILE} + + echo "proxy running for ${SSL_LIB} ${THREAD_COUNT}" + RESULT=${RESULT_DIR}/h1load-dh-rsa-reuse-${THREAD_COUNT}-${SSL_LIB}.out + PORT=$(( ${PORT_RSA_REUSE} + ${PROXY_CHAIN} )) + LD_LIBRARY_PATH=${OPENSSL_DIR}/lib ${H1LOAD} \ + -l \ + -P \ + -d ${TEST_TIME} \ + -c 500 \ + -t ${THREAD_COUNT} \ + -u \ + --tls-reuse \ + ${BASE_URL}${PORT} > ${RESULT} || exit 1 + + RESULT=${RESULT_DIR}/h1load-dh-rsa-noreuse-${THREAD_COUNT}-${SSL_LIB}.out + PORT=$(( ${PORT_RSA} + ${PROXY_CHAIN} )) + LD_LIBRARY_PATH=${OPENSSL_DIR}/lib ${H1LOAD} \ + -l \ + -P \ + -d ${TEST_TIME} \ + -c 500 \ + -t ${THREAD_COUNT} \ + -u \ + ${BASE_URL}${PORT} > ${RESULT} || exit 1 + + if [[ -x ${SIEGE} ]] ; then + RESULT=${RESULT_DIR}/siege-dh-rsa-noreuse-${THREAD_COUNT}-${SSL_LIB}.out + LD_LIBRARY_PATH=${OPENSSL_DIR}/lib ${SIEGE} + -b \ + -c ${THREAD_COUNT} \ + -t ${TEST_TIME}S ${BASE_URL}:${SIEGE_PORT_RSA} 2> ${RESULT} + fi - # clear the siege config - sed -i '/#haproxy/{N;d;}' "${SIEGE_CONF}" || exit 1 + RESULT=${RESULT_DIR}/h1load-ec-dsa-reuse-${THREAD_COUNT}-${SSL_LIB}.out + PORT=$(( ${PORT_EC_REUSE} + ${PROXY_CHAIN} )) + LD_LIBRARY_PATH=${OPENSSL_DIR}/lib ${H1LOAD} \ + -l \ + -P \ + -d ${TEST_TIME} \ + -c 500 \ + -t ${THREAD_COUNT} \ + -u \ + --tls-reuse \ + ${BASE_URL}${PORT} > ${RESULT} || exit 1 + + RESULT=${RESULT_DIR}/h1load-ec-dsa-noreuse-${THREAD_COUNT}-${SSL_LIB}.out + PORT=$(( ${PORT_EC} + ${PROXY_CHAIN} )) + LD_LIBRARY_PATH=${OPENSSL_DIR}/lib ${H1LOAD} \ + -l \ + -P \ + -d ${TEST_TIME} \ + -c 500 \ + -t ${THREAD_COUNT} \ + -u \ + ${BASE_URL}${PORT} > ${RESULT} || exit 1 + + if [[ -x ${SIEGE} ]] ; then + RESULT=${RESULT_DIR}/siege-ec-dsa-noreuse-${THREAD_COUNT}-${SSL_LIB}.out + LD_LIBRARY_PATH=${OPENSSL_DIR}/lib ${SIEGE} + -b \ + -c ${THREAD_COUNT} \ + -t ${TEST_TIME}S ${BASE_URL}:${SIEGE_PORT_EC} 2> ${RESULT} + fi + + kill_daemon ${HAPPIDFILE} + kill_daemon ${HTTPTERMPIDFILE} } -function kill_haproxy { - pkill -TERM -f haproxy +function run_tests { + typeset i='' + typeset t='' + + for t in 1 2 4 8 16 32 64 ; do + for i in 3.0 3.1 3.2 3.3 3.4 3.5 3.6 master ; do + run_test openssl-${i} ${t} + done + run_test OpenSSL_1_1_1-stable ${t} + run_test libressl-4.1.0 ${t} + run_test wolfssl-5.8.2 ${t} + run_test aws-lc ${t} + # + # could not get haproxy working with boringssl + # + done } + +run_tests diff --git a/bench-scripts/common_util.sh b/bench-scripts/common_util.sh index 039e7c4c..620c4d36 100644 --- a/bench-scripts/common_util.sh +++ b/bench-scripts/common_util.sh @@ -131,6 +131,7 @@ function install_wolfssl { typeset DIRNAME="wolfssl-${VERSION}" typeset WOLFSSL_WORKSPCE="${WORKSPACE_ROOT}/${DIRNAME}" typeset WOLFSSL_REPO='https://github.com/wolfSSL/wolfssl' + typeset HAPROXY_OPTS=$2 if [[ -z ${VERSION} ]] ; then DIRNAME='wolfssl' @@ -158,8 +159,13 @@ function install_wolfssl { AUTOCONF_VERSION=2.72 AUTOMAKE_VERSION=1.16 ./autogen.sh || exit 1 - ./configure --prefix="${INSTALL_ROOT}/${DIRNAME}" \ - --enable-nginx || exit 1 + if [[ -z ${HAPROXY_OPTS} ]] ; then + ./configure --prefix="${INSTALL_ROOT}/${DIRNAME}" \ + --enable-nginx || exit 1 + else + ./configure --prefix="${INSTALL_ROOT}/${DIRNAME}" \ + ${HAPROXY_OPTS} || exit 1 + fi make ${MAKE_OPTS} || exit 1 make ${MAKE_OPTS} install || exit 1 @@ -336,15 +342,39 @@ function gen_certkey { typeset SERVERCERT=$1 typeset SERVERKEY=$2 typeset OPENSSL="${INSTALL_ROOT}"/openssl-master/bin/openssl + typeset RSABITS=$3 + if [[ -z "${RSABITS}" ]] ; then + RSABITS='4096' + fi # - # generate self-signed cert with key + # generate self-signed cert with rsa key # note this is hack because we always assume # openssl-master is installed in INSTALL root # $(LD_LIBRARY_PATH="${INSTALL_ROOT}/openssl-master/lib" "${OPENSSL}" \ - req -x509 -newkey rsa:4096 -days 180 -noenc -keyout \ + req -x509 -newkey rsa:${RSABITS} -days 180 -noenc -keyout \ "${SERVERKEY}" -out "${SERVERCERT}" -subj "${CERT_SUBJ}" \ -addext "${CERT_ALT_SUBJ}") || exit 1 } +function gen_certkey_ec { + typeset SERVERCERT=$1 + typeset SERVERKEY=$2 + typeset OPENSSL="${INSTALL_ROOT}"/openssl-master/bin/openssl + typeset PKEYOPT=$3 + + if [[ -z "${PKEYOPT}" ]] ; then + PKEYOPT='ec_paramgen_curve:prime256v1' + fi + + # + # generate self-signed cert with ecdsa key + # note this is hack because we always assume + # openssl-master is installed in INSTALL root + # + $(LD_LIBRARY_PATH="${INSTALL_ROOT}/openssl-master/lib" "${OPENSSL}" \ + req -x509 -newkey ec -pkeyopt ${PKEYOPT} -days 180 -noenc -keyout \ + "${SERVERKEY}" -out "${SERVERCERT}" -subj "${CERT_SUBJ}" \ + -addext "${CERT_ALT_SUBJ}") || exit 1 +}