Basic Authentication causes massive drop in performance


#1

Hi,

Im using HA-Proxy version 1.5.18 on a CentOS 7 . I have activated basic auth for a backend (as shown below), which sadly causes the site to load in about 8.2 seconds, compared to the 1.6 seconds when commenting out the first 2 lines of the backend. When profiling the traffic inside the browser it seems that every single request (about 20 of them) takes much longer to complete for said backend. The userlist which to check against contains 10 users. The haproxy is also used to terminate TLS for this backend.

I couldn’t find similar issues from other users so i would appreciate some input. Thanks

userlist basic-auth-userlist
group nonprod_manager
group prod_manager
user someuser password $5$rounds=535…

backend cpx_prod_mgr_http
acl mgr-auth http_auth(basic-auth-userlist) prod_manager
http-request auth realm IMmanager unless mgr-auth
cookie CPXG prefix
option httpchk get /triboni
server pwildfly01.prod.cpx.local 10.21.2.1:8380 check inter 15000 fastinter 2000 fall 1 rise 1 weight 1
stats enable
stats refresh 20s
stats show-desc CPX Production Backend MGR


#2

The password you are using uses a strong hash. For every single request haproxy needs to calculate that. That’s where your latency comes from.

Use a fast hash or plaintext, that’s the only way to get performant Basic Authentication (in any product).


#3

I have switched to md5 and the loading time has been reduced to about 1.6 seconds. Thanks for the advice, i wasn’t aware that sha256 was this expensive. I assume that the hashing function is used multiple times (hash of a hash) but i couldn’t find any info on this in the manpage for crypt(3) .

Edit: Just noticed the “rounds=535000” parameter in the string above …


#4

Right, its not that sha256 is much more expensive, it’s that your doing it half a million times.