We have been using OpenFire using BOSH over HTTP with our 3000 concurrent users pretty successfully. However, recently we went to HTTPS. In our Load Tests we seem to be hitting a point around 2000 concurrent users when logins are really slow and events are delayed. Has anyone done any Load Testing comparisons of HTTP vs. HTTPS? Is there any tuning that can be done when using HTTPS vs. HTTP connections with BOSH?
For the sake of performance, we use an Apache (httpd) front-end to terminate the SSL connection, then we proxy to Openfire on port 7070 on the localhost interface. This moves the SSL handling out of the Java process (reducing JVM resource contention) and allows it to be further accelerated with specialized hardware.
One potential downside to this approach is the additional memory consumption in the Apache layer for these relatively long-running BOSH connections (up to 60 seconds). However, in our case this was a sensible tradeoff (memory is cheap) and enables other HA capabilities such as hot-failover to a clustered peer via the proxy balancer module.
There have also been a number of performance-related improvements to the BOSH component in the recent nightly builds of Openfire. Which version are you currently testing against? It would be great to know if these recent changes have provided an observable uptick in your load tests.
Thanks Tom. We are using v3.7.1. Hadn’t thought about trying to put Apache in front to offload the SSH Handling, that is a good idea. We were hoping not to do something this “drastic” this late in the game, but certainly appreciate the idea. How many concurrent connections have you done using this method?
Well, it’s not apples-to-apples as we are doing things a bit differently with our solution, (using primarily pubsub capabilities with BOSH), our load tests indicate that we can easily handle more than 10K concurrent connections. We can also scale up easily using multiple Apache “heads” in front of each Openfire cluster member as needed to handle the SSL load.
Did you try the configuration where you had just 1 OF and 1 Apache server to terminate the SSL connections? If so, how many concurrent connections could you support with that? I’m trying to see what kind of performance gain you had by offloading the SSL handling to the Apache server