You may remember that earlier this fall I found out just how much faster a
2048-bit HTTPS certificate is for the server to handle. Now that I
got one from Let's Encrypt, I decided to redo the performance tests with the new certificate
all set up. Since I ran out of credits on my blitz.io free account, I did the new tests with
loader.io's free tier instead. That's why the graphs are a bit different this time.
Before I go into the HTTPS results, I will bring some context. You might remember that last time I got about 730
requests per second served over HTTPS with a 2048-bit key, and about 1380 requests per second for plain HTTP. Quoting
myself from that time: "So fast… 🚀". Turns out I spoke too soon. By disabling some extraneous console logging,
I was able to more than double the performance. Let's see the latest results.
For reference: The server is an online.net Dedibox XC with an
8-core Intel Atom C2750 processor and 8 GB of DDR3 RAM.
The identity of this website has been verified by Let's Encrypt Authority X1.
That's right! Let's Encrypt, the new free, automated and open certificate authority, has moved to public beta
and their client has improved enough that I was able to request a certificate for this blog! In the end it was criminally easy,
basically a matter of running one command (after fiddling around a bit to find the correct command…):
letsencrypt-auto certonly --webroot -w /path/to/blog -d blog.nytsoi.net
This uses the Let's Encrypt program to automatically validate my domain and request a certificate for it (with the
default value being a 2048-bit one). The way it does the validation is by adding some files to the path I specified and
then making an HTTP request for the domain, checking that the files are accessible. When the domain has been validated,
it requests the certificate and saves it. The cool thing about it is that it creates a directory
/etc/letsencrypt/live/blog.nytsoi.net/ that contains symlinks to the files required for using the certificate, such as
the full chained certificate file and the private key. When I want to renew the certificate, I can run the Let's
Encrypt program with the same arguments again and it will update the symlinks. That means automating it is very easy
(and indeed required since their certificates currently only last for 90 days). The program also contains plugins for
Apache and nginx, but the nginx plugin is very experimental so I settled for the webroot method.
I'm really excited for Let's Encrypt's launch. I hope this will encourage more and more people to adopt HTTPS for their
websites, especially those that deal with user logins or other sensitive data. There's really no reason to not do it
anymore. Encryption for everyone!
** UPDATE: ** I wrote a new post with newer and faster benchmarks.
After the Snowden revelations, I personally started looking more into encrypting my online activities and making sure
sites that ran on my server were (relatively) secure. Eventually I put this blog behind HTTPS as well, not really for
any security benefit, since I'm not talking government secrets and the blog has no admin panel, but rather for learning
about TLS and how to set it up properly. Problem was, it seems I did not read about things properly. This blog post
describes one result of that ignorance.
So I went and ordered myself a new server. My old one was a VPS from
Linode with 1 core, 1 GB of RAM and a 24 GB disk. The new one is a dedicated
server from online.net with 8 cores, 8 GB of RAM and 1 TB of hard disk space.
At the same time it is only slightly more expensive so I jumped at the opportunity. How reliable it actually is will
only be shown with time, but I like living on the bleeding edge. So I thought I would write a blog post about all the
stuff I run into when setting up the new server. Note: This post is meant for reference only, not as a guide. Be sure
look for recommendations from people wiser than myself regarding any security settings.