Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:performances [2019/05/20 18:45]
xguimard [Cron optimization]
documentation:2.1:performances [2020/05/10 11:43] (current)
maxbes [LDAP performances]
Line 1: Line 1:
 ====== Performances ====== ====== Performances ======
  
-LemonLDAP::​NG is designed ​to be very performant. Indeed, it uses Apache2 threads capabilities. So to increase performances,​ prefer using [[http://httpd.apache.org/docs/2.2/misc/perf-tuning.html#​compiletime|mpm-worker]].+LemonLDAP::​NG is designed ​for high performance,​ both in throughput and response time. Indeed, it can use Apache2 threads capabilities ​**but** since Apache version 2.4, mpm_worker seems to break mod_perl. So to increase performances,​ prefer using Nginx. 
 + 
 +===== Built-in ===== 
 +==== Cache system ==== 
 + 
 +LLNG uses different cache systems to avoid querying to many the databases: 
 + 
 +^                 ​^ ​          ​Lifetime in memory ​            ​^^ ​     Lifetime in Local-Cache (file) ​        ​^^ ​ DB  ^ 
 +^                 ​^ ​         Parameter ​        ​^ ​  ​Default ​   ^        Parameter ​           ^    Default ​    ​^ ​     ^ 
 +^  Configuration ​ |     ''​checkTime'' ​         |  1 second ​   |                     ​| ​ Until "​reload"​ order  |  ✔   | 
 +^     ​Session ​    ​| ​ ''​handlerInternalCache'' ​ |  15 seconds ​ |  ''​default_expires_in''​(*) ​ |   10 minutes ​  ​| ​ ✔   | 
 + 
 +//(*): Manager >> General parameters >> Sessions >> Sessions storage >> Cache module options// 
 + 
 +<​note>​ 
 +Configuration and sessions are first looked up in-memory, then in the cache file, and then in their backing storeThis means that after a configuration reload ​//(using Manager)//, you have to wait for ''​checkTime''​ before you can see your changes, or wait for configuration cache expiration in ''​checkTime''​ is disabled. 
 +</​note>​
  
 ===== Global performance ===== ===== Global performance =====
Line 9: Line 25:
 To bypass this, you can: To bypass this, you can:
   * Use IP in configuration to avoid DNS resolution   * Use IP in configuration to avoid DNS resolution
-  * Install a DNS cache  like nscd, netmask ​or bind+  * Install a DNS cache  like nscd, dnsmasq ​or unbound
  
 ==== Cron optimization (or systemd timers) ==== ==== Cron optimization (or systemd timers) ====
Line 16: Line 32:
   * purgeCentralCache:​ only 1 time every 10 minutes for the whole system (or more)   * purgeCentralCache:​ only 1 time every 10 minutes for the whole system (or more)
   * purgeLocalCache:​ ~ 1 time per hour on each server   * purgeLocalCache:​ ~ 1 time per hour on each server
 +
 ===== Handler performance ===== ===== Handler performance =====
  
Line 23: Line 40:
  
 Handlers check rights and calculate headers for each HTTP hit. So to improve performances,​ avoid too complex rules by using macros, groups or local macros. Handlers check rights and calculate headers for each HTTP hit. So to improve performances,​ avoid too complex rules by using macros, groups or local macros.
 +
 ==== Macros and groups ==== ==== Macros and groups ====
  
Line 28: Line 46:
   * macros are used to extend (or rewrite) [[exportedvars|exported variables]]. A macro is stored as attributes: it can contain boolean results or any string   * macros are used to extend (or rewrite) [[exportedvars|exported variables]]. A macro is stored as attributes: it can contain boolean results or any string
   * macros can also be used to import environment variables //(these variables are in CGI format)//. Example: ''​$ENV{HTTP_COOKIE}''​   * macros can also be used to import environment variables //(these variables are in CGI format)//. Example: ''​$ENV{HTTP_COOKIE}''​
-  ​* groups are stored as space-separated strings in the special attribute "​groups":​ it contains the names of groups whose rules were returned true for the current user +  * You can check for group membership of particular user with the ''​inGroup'' ​functionsee examples below. 
-  ​* You can also get groups in ''​$hGroups''​ which is Hash Reference of this form: +  * If you need more advanced processing of the group list (filteringrewriting) you may use ''​$groups'', ​a flat list of all the user's groups, separated by ''​'' ​(default values separator). Or the ''​$hGroups'' ​variable which is a perl hash whose keys are the group names.
-<code perl> +
-$hGroups = { +
-          ​'group3' ​=> { +
-                        '​description'​ => [ +
-                                           'Service 3', +
-                                           '​Service 3 TEST'​ +
-                                         ], +
-                        ​'cn' ​=> [ +
-                                  ​'group3' +
-                                ], +
-                        ​'name' ​=> 'group3' +
-                      }, +
-          ​'admin' ​=> { +
-                       'name' ​=> 'admin'​ +
-                     } +
-        } +
-</​code>​+
  
 Example for macros: Example for macros:
Line 61: Line 62:
 </​code>​ </​code>​
  
-Example for groups:+Defining a group
 <code perl> <code perl>
 # group # group
 admin -> $uid eq '​foo'​ or $uid eq '​bar'​ admin -> $uid eq '​foo'​ or $uid eq '​bar'​
 +</​code>​
  
-# Use a group in rule +Using a group in an access ​rule 
-^/admin -> $groups =~ /\badmin\b/+<​code>​ 
 +# Using the inGroup macro: 
 +^/admin -> inGroup("​timelords"​)
  
 # Or with hGroups # Or with hGroups
Line 108: Line 112:
 ==== Apache::​Session performances ==== ==== Apache::​Session performances ====
  
-Lemonldap::​NG handlers use a local cache to store sessions (for 10 minutes). So Apache::​Session module is not a problem for handlers. ​It can be a brake for the portal:+Lemonldap::​NG handlers use a local cache to store sessions (for 10 minutes). So Apache::​Session module is not a problem for handlers. ​But it can be a bottleneck ​for the portal:
   - When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an [[https://​metacpan.org/​module/​Apache::​Session::​Browseable|Apache::​Session::​Browseable]] module.   - When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an [[https://​metacpan.org/​module/​Apache::​Session::​Browseable|Apache::​Session::​Browseable]] module.
   - Since MySQL does not have always transaction feature, Apache::​Session::​MySQL has been designed to use MySQL locks. Since MySQL performances are very bad using this, if you want to store sessions in a MySQL database, prefer one of the following   - Since MySQL does not have always transaction feature, Apache::​Session::​MySQL has been designed to use MySQL locks. Since MySQL performances are very bad using this, if you want to store sessions in a MySQL database, prefer one of the following
Line 191: Line 195:
 <note important>​Don'​t forget to create an index on the field used to find users (uid by default)</​note>​ <note important>​Don'​t forget to create an index on the field used to find users (uid by default)</​note>​
  
-<note tip>To avoid having ​group dn stored ​in sessions datas, you can use a macro to rewrite memberOf: +<note tip>To avoid storing the full group DNs in session data, you can use a macro to rewrite ​''​memberOf''​: 
-  * Exported variables + 
-<​code>​ +  ​* In *Exported variables*, export the ''​memberOf''​ LDAP attribute as a ''​ldapGroups''​ session variable 
-ldapgroups -> memberOf+    * key: ''​ldapGroups''​ 
 +    * value: ''​memberOf''​ 
 + 
 +  * Next, add a ''​ldapGroups''​ macro that will overwrite the exported attribute 
 +    * key: ''​ldapGroups''​ 
 +    * value: ​ 
 +<code="​perl"​
 +join(";​ ",​($ldapGroups =~ /​cn=(.*?​),/​g))
 </​code>​ </​code>​
-For now, ldapgroups contains "​cn=admin,​dmdName=groups,​dc=example,​dc=com cn=su,​dmdName=groups,​dc=example,​dc=com"​ 
  
-  * A little macro:+''​ldapGroups''​ should now contain something like ''​admin;​ su''​ just like it would if you had used the regular, slower group resolution mechanism. 
 + 
 +You can use [[extendedfunctions#​listmatch|listMatch($ldapGroups,​ "​some_group"​)]] in your access rules. 
 +</​note>​ 
 + 
 +==== NGINX performances ==== 
 + 
 +To increase launch by web browser, for example to load js, css, or fonts, Gzip compression can be activated. 
 + 
 +Edit file /​etc/​nginx/​mime.types 
 +Check those lines or add :
 <code perl> <code perl>
-ldapgroups -> join(" ",​($ldapgroups =~ /cn=(.*?),/g))+application/vnd.ms-fontobject ​   eot; 
 +application/​x-font-ttf ​          ​ttf;​ 
 +application/​font-woff ​           woff; 
 +font/opentype ​                   ott;
 </​code>​ </​code>​
-Now ldapgroups contains ​"admin su+ 
-</note>+Edit file /​etc/​nginx/​nginx.conf 
 +<code perl> 
 +gzip on; # active la compression Gzip 
 +gzip_disable ​"msie6";  
 +  
 +gzip_vary on; 
 +gzip_proxied any; 
 +gzip_comp_level 6; 
 +gzip_buffers 16 8k; 
 +gzip_http_version 1.1; 
 +gzip_min_length 128; 
 +gzip_types text/plain text/css application/​json application/​javascript application/​x-javascript text/xml application/​xml application/​rss+xml text/​javascript application/​vnd.ms-fontobject application/​x-font-ttf font/​opentype image/jpeg image/png image/​svg+xml image/​x-icon;​ 
 +</code> 
 + 
 +Restart NGINX and watch web-browser console.
  
 ===== Manager performances ===== ===== Manager performances =====
Line 215: Line 252:
 </​code>​ </​code>​
  
 +==== Enable compactConf parameter ====
 +
 +By enabling compactConf option, all unused configuration parameters are removed. Could be usefull to shrink lemonldap-ng configuration file and save space.
 +
 +Go in Manager, ''​General Parameters''​ » ''​Configuration reload''​ » ''​Compact configuration file
 +''​ and set to ''​On''​.
 ==== Use static HTML files ==== ==== Use static HTML files ====