0. 建议
建议写最上面:如果不需要支持 IE10 等浏览器,请务必使用 HTTP/2/HTTP/3 等协议,以获得不调整代码即可获得低延时高QPS的快速性能提升。
1. 引言
本次测试旨在评估现代Web协议(TLS 1.3、HTTP/2、HTTP/3)在Nginx反向代理环境下的性能表现。Tomcat作为后端应用服务器提供基准数据,而Nginx配置添加了安全性和协议优化。测试模拟了高并发场景(100 VUs,60秒持续时间),重点关注请求延迟、吞吐量和网络效率。通过数据列表和对比分析,为部署决策提供依据。
测试工具
k6 测试工具
测试版本
- k6 v1.5.0 (commit/7961cefa12, go1.25.5, linux/amd64)
- nginx version: nginx/1.26.3
- apache-tomcat-9.0.10
2. 数据列表
tomcat
█ TOTAL RESULTS
HTTP
http_req_duration..............: avg=826.19µs min=24.55µs med=607.7µs max=64.68ms p(90)=1.63ms p(95)=2.01ms
{ expected_response:true }...: avg=826.19µs min=24.55µs med=607.7µs max=64.68ms p(90)=1.63ms p(95)=2.01ms
http_req_failed................: 0.00% 0 out of 6990228
http_reqs......................: 6990228 116502.037433/s
EXECUTION
iteration_duration.............: avg=850.21µs min=37.74µs med=629.04µs max=68.01ms p(90)=1.66ms p(95)=2.04ms
iterations.....................: 6990228 116502.037433/s
vus............................: 100 min=100 max=100
vus_max........................: 100 min=100 max=100
NETWORK
data_received..................: 5.7 GB 95 MB/s
data_sent......................: 797 MB 13 MB/s
running (1m00.0s), 000/100 VUs, 6990228 complete and 0 interrupted iterations
|
nginx(tls13) + tomcat
█ TOTAL RESULTS
HTTP
http_req_duration..............: avg=1.88ms min=92.96µs med=1.47ms max=31.19ms p(90)=3.62ms p(95)=4.34ms
{ expected_response:true }...: avg=1.88ms min=92.96µs med=1.47ms max=31.19ms p(90)=3.62ms p(95)=4.34ms
http_req_failed................: 0.00% 0 out of 3099852
http_reqs......................: 3099852 51663.425417/s
EXECUTION
iteration_duration.............: avg=1.92ms min=109.16µs med=1.5ms max=89.05ms p(90)=3.67ms p(95)=4.39ms
iterations.....................: 3099852 51663.425417/s
vus............................: 100 min=100 max=100
vus_max........................: 100 min=100 max=100
NETWORK
data_received..................: 2.7 GB 45 MB/s
data_sent......................: 411 MB 6.9 MB/s
running (1m00.0s), 000/100 VUs, 3099852 complete and 0 interrupted iterations
|
nginx(tls13+http2) + tomcat
█ TOTAL RESULTS
HTTP
http_req_duration..............: avg=1.17ms min=52.18µs med=841.78µs max=52.75ms p(90)=2.21ms p(95)=3.21ms
{ expected_response:true }...: avg=1.17ms min=52.18µs med=841.78µs max=52.75ms p(90)=2.21ms p(95)=3.21ms
http_req_failed................: 0.00% 0 out of 4920599
http_reqs......................: 4920599 82004.172881/s
EXECUTION
iteration_duration.............: avg=1.2ms min=61.25µs med=869.66µs max=75.53ms p(90)=2.26ms p(95)=3.29ms
iterations.....................: 4920599 82004.172881/s
vus............................: 100 min=100 max=100
vus_max........................: 100 min=100 max=100
NETWORK
data_received..................: 4.5 GB 75 MB/s
data_sent......................: 215 MB 3.6 MB/s
running (1m00.0s), 000/100 VUs, 4920599 complete and 0 interrupted iterations
|
nginx(tls13+http3) + tomcat
█ TOTAL RESULTS
HTTP
http_req_duration..............: avg=1.11ms min=42.58µs med=796.26µs max=41.99ms p(90)=2.1ms p(95)=3.02ms
{ expected_response:true }...: avg=1.11ms min=42.58µs med=796.26µs max=41.99ms p(90)=2.1ms p(95)=3.02ms
http_req_failed................: 0.00% 0 out of 5184268
http_reqs......................: 5184268 86402.167089/s
EXECUTION
iteration_duration.............: avg=1.14ms min=52.56µs med=825.39µs max=68.9ms p(90)=2.15ms p(95)=3.1ms
iterations.....................: 5184268 86402.167089/s
vus............................: 100 min=100 max=100
vus_max........................: 100 min=100 max=100
NETWORK
data_received..................: 5.4 GB 89 MB/s
data_sent......................: 688 MB 12 MB/s
running (1m00.0s), 000/100 VUs, 5184268 complete and 0 interrupted iterations
default ✓ [======================================] 100 VUs 1m0s
|
数据列表分析:关键指标对比
以下表格总结了测试中的核心指标,以Tomcat数据为基准,突出TLS 1.3、HTTP/2和HTTP/3的差异。所有数据均来自测试结果,错误率均为0.00%,表明系统稳定性良好。
| 配置场景 |
平均延迟 (http_req_duration) |
吞吐量 (请求数/秒) |
总请求数 |
网络数据接收率 |
网络数据发送率 |
| Tomcat (基准) |
826.19µs |
116,502.04 |
6,990,228 |
95 MB/s |
13 MB/s |
| Nginx + TLS 1.3 |
1.88ms |
51,663.43 |
3,099,852 |
45 MB/s |
6.9 MB/s |
| Nginx + TLS 1.3 + HTTP/2 |
1.17ms |
82,004.17 |
4,920,599 |
75 MB/s |
3.6 MB/s |
| Nginx + TLS 1.3 + HTTP/3 |
1.11ms |
86,402.17 |
5,184,268 |
89 MB/s |
12 MB/s |
数据分析要点:
- 延迟影响:添加TLS 1.3后,平均延迟增加约127%(从826.19µs升至1.88ms),主要由于加密握手开销。但HTTP/2和HTTP/3通过多路复用等技术,将延迟分别降至1.17ms和1.11ms,较纯TLS 1.3提升38-41%。
- 吞吐量变化:Tomcat基准吞吐量最高(116,502 req/s),TLS 1.3导致吞吐量下降56%,而HTTP/2和HTTP/3分别恢复至基准的70%和74%,HTTP/3略优。
- 网络效率:HTTP/2和HTTP/3显著降低数据发送量(如HTTP/2仅3.6 MB/s),得益于头部压缩和流控制;HTTP/3的数据接收率(89 MB/s)接近Tomcat基准,显示其传输优化。
3. 性能深度对比:TLS 1.3、HTTP/2 和 HTTP/3 的优劣
基于测试数据,结合配置分析各协议的性能特性:
- TLS 1.3:
- 优势:提供强安全性(如前向保密),配置简单(SSL参数)。
- 劣势:延迟和吞吐量损失最大,因加密开销和代理层处理。适合对安全要求高但性能不极端的场景。
- HTTP/2:
- 优势:通过多路复用减少连接开销(http2优化),延迟比TLS 1.3降低38%,吞吐量提升59%。兼容性广,易于部署。
- 劣势:仍基于TCP,可能受队头阻塞影响,性能不及HTTP/3。
- HTTP/3:
- 优势:基于QUIC协议(http3 on),延迟最低(1.11ms),吞吐量最高(86,402 req/s),抗丢包能力强。网络效率最佳,适合高延迟环境。
- 劣势:部署复杂度高,需客户端和支持库。
关键发现:HTTP/3在延迟和吞吐量上均优于HTTP/2,而TLS 1.3是安全基础但性能成本高。Tomcat基准显示,无代理时性能最优,但缺乏现代协议益处。
4. 最佳实践对比:部署建议与配置优化
根据配置,总结各协议的最佳实践:
- 通用最佳实践:
- 使用上游服务器负载均衡(如
upstream配置,采用least_conn和keepalive)。
- 添加安全头部(如
Strict-Transport-Security)和超时设置(如proxy_read_timeout)。
- TLS 1.3 最佳实践:
- 配置SSL会话缓存(如
ssl_session_timeout)以减少握手延迟。
- 适用场景:内部网络或合规要求,其中安全性优先于性能。
- HTTP/2 最佳实践:
- 启用
http2 on并优化缓冲区(如http2_body_preread_size)。
- 适用场景:公开Web服务,平衡安全与性能,兼容主流浏览器。
- HTTP/3 最佳实践:
- 配置
http3 on和reuseport,利用QUIC的0-RTT连接。
- 适用场景:高并发移动应用或全球分发,追求最低延迟。
对比总结:HTTP/3为未来方向,但HTTP/2更易落地;TLS 1.3是安全基石,建议结合HTTP/2或HTTP/3使用。Tomcat基准提醒,在安全不紧要的内部系统中,可直接使用以最大化性能。
5. 结论
测试表明,现代协议能有效弥补安全层带来的性能损失:
- 推荐方案:对于生产环境,优先选择Nginx + TLS 1.3 + HTTP/3,它在安全性和性能间取得最佳平衡(延迟比基准高34%,但吞吐量恢复至74%)。如果HTTP/3支持不足,HTTP/2是可靠的备选。
- 权衡提示:Tomcat基准显示,无代理时延迟最低,但公开服务应避免直接暴露。部署时需根据网络条件调优(如文档4中的健康检查)。
- 最终建议:协议升级(如HTTP/3)是性能优化的关键,建议在测试环境中验证后再全面部署。此分析为高并发Web应用提供了数据驱动的决策基础。
6. 附录
nginx tls13 配置
upstream app_backend {
least_conn;
server 127.0.0.1:8080 max_fails=3 fail_timeout=30s;
keepalive 32;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name demo_tls;
server_tokens off;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
limit_except GET POST {
deny all;
}
proxy_pass http://app_backend;
proxy_http_version 1.1;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
}
}
|
nginx tls13+http2 配置
upstream app_backend {
least_conn;
server 127.0.0.1:8080 max_fails=3 fail_timeout=30s;
keepalive 32;
}
server {
listen 443 ssl reuseport;
http2 on;
server_name demo_http2;
server_tokens off;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
large_client_header_buffers 4 32k;
http2_body_preread_size 128k;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://app_backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 5s;
proxy_send_timeout 10s;
proxy_read_timeout 30s;
proxy_intercept_errors on;
error_page 500 502 503 504 /50x.html;
}
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
location /static/ {
root /var/www;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
|
nginx tls13+http3 配置
upstream app_backend {
least_conn;
server 127.0.0.1:8080 max_fails=3 fail_timeout=30s;
keepalive 32;
}
server {
listen 443 ssl reuseport;
http3 on;
server_name demo_http3;
server_tokens off;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
large_client_header_buffers 4 32k;
http2_body_preread_size 128k;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://app_backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 5s;
proxy_send_timeout 10s;
proxy_read_timeout 30s;
proxy_intercept_errors on;
error_page 500 502 503 504 /50x.html;
}
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
location /static/ {
root /var/www;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
|