> The "option httpclose" was on purpose. Also the client could (during a > attack) simply do the same and achieve the same result. I don't think > that will help in such cases.
So what you are actually and purposely benchmarking are SSL/TLS handshakes, because thats the bottleneck you are trying to improve. First of all the selected cipher is very important, as is the certificate and the RSA key size. For optimal performance, you would drop your RSA certificate and get a ECC cert. If thats not a possibility then use 2048-bit RSA certificates. Your ab output suggest that the negotiated cipher is ECDHE-RSA-AES128-GCM-SHA256 - which is fine for RSA certificates, but your RSA certificate is 4096 bit long, which is where the performance penalty comes from - use 2048bit certificates or better yet use ECC certificates. read: DO NOT USE RSA certificates longer than 2048bit. Both nginx [1] and haproxy currently do not support offloading TLS handshakes to another thread or dedicating a thread to a TLS session. Thats why Apache will scale better currently, because its threading. Hope this helps, Lukas [1] https://twitter.com/ngx_vbart/status/611956593324916736
