technical white paper - huawei cloud

Kunpeng BoostKit for Web

Technical White Paper

Issue 07

Date 2021-07-28

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 07 (2021-07-28) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Overview....................................................................................................................................11.1 Background................................................................................................................................................................................11.2 Challenges..................................................................................................................................................................................31.3 Solution Overview................................................................................................................................................................... 4

2 Architecture.............................................................................................................................. 5

3 Advantages............................................................................................................................... 8

4 Applications............................................................................................................................ 104.1 SSL Offloading....................................................................................................................................................................... 104.2 Nginx Load Balancing......................................................................................................................................................... 114.3 Nginx Web Server................................................................................................................................................................. 124.4 Memcached.............................................................................................................................................................................14

5 Networking............................................................................................................................. 15

6 Typical Configurations......................................................................................................... 16

7 Feature List............................................................................................................................. 18

8 Software Compatibility........................................................................................................20

9 Process..................................................................................................................................... 21

A Change History...................................................................................................................... 22

Kunpeng BoostKit for WebTechnical White Paper Contents

Issue 07 (2021-07-28) Copyright © Huawei Technologies Co., Ltd. ii

1 Overview

1.1 Background

1.2 Challenges

1.3 Solution Overview

1.1 BackgroundWith the rise of Internet services and explosion of network data, the web bearsmore and more information and user service data. The web has become thedefault front-end display for traditional software and intelligent mobile terminals.Web-based apps are increasingly popular, especially for mobile terminals. The webback end of the Internet and software companies requires strong processingcapabilities to respond to more and more web requests.

With the rapid development of the Internet, the number of web users and theamount of data carried on the web surge. Therefore, the secure access of networkdata becomes more and more important. Web data transmission needs to bechanged from plaintext transmission to encrypted transmission, that is, fromHypertext Transfer Protocol (HTTP) to Hypertext Transfer Protocol Secure (HTTPS).HTTPS uses the Rivest-Shamir-Adleman (RSA) encryption algorithm by default.When a client accesses the server, the RSA algorithm consumes a large amount ofCPU computing power. The more client access requests, the more CPU computingpower is required.

Figure 1-1 HTTPS

Kunpeng BoostKit for WebTechnical White Paper 1 Overview

Issue 07 (2021-07-28) Copyright © Huawei Technologies Co., Ltd. 1

Figure 1-2 Percentage of web pages loaded over HTTPS in Chrome by platform

As indicated by the Google Transparency Report, the percentage of web pagesloaded over HTTPS in Chrome has grown rapidly over the years.

As of May 30, 2020, the statistics of web pages loaded over HTTPS in Chrome byplatform are as follows:

● Windows: 88%● Android: 91%● Mac: 93%● Chrome OS: 96%

According to statistics on HTTPS on top websites, 96 of 100 top websites defaultto HTTPS and 100 sites support HTTPS.

Data source: Google Transparency Report

As a result, data processing devices are required to:

● Process more concurrent service requests.● Process encrypted web requests promptly.

The websites that use HTTPS include:

● E-commerce platforms and their payment platforms● High-privacy websites of banking systems, financial institutions, and telecom

industry● Government organizations, universities, healthcare industry, research institutes

and websites● Websites whose traffic is mainly from search engines● Enterprise communication platforms mainly used for internal office systems



https://transparencyreport.google.com/https/overview?hl=en_us

1.2 ChallengesHTTPS is used for secure communication over a computer network. On acomputer network, HTTPS uses HTTP for communication and uses Secure SocketsLayer (SSL) or Transport Layer Security (TLS) to encrypt data packets to betransferred. The asymmetric encryption algorithm is much less efficient than thesymmetric encryption algorithm. Therefore, the asymmetric encryption algorithmis used only in the SSL/TLS handshake phase of HTTPS rather than in the entireHTTPS interaction process. RSA2048 is the most commonly used asymmetricencryption algorithm in the SSL/TLS handshake phase. It uses the general-purposeCPUs for computing, which has low efficiency. The processing capability of aphysical core of an x86 CPU is about 650 times per second. The processingcapability of an x86 high-end server is lower than 20,000 times per second. TheCPU performance is a bottleneck. Generally, hardware acceleration is widely usedin the industry to offload the encryption algorithm to improve the performance ofa single device to 80,000 to 100,000 times per second.

Figure 1-3 HTTPS SSL/TLS handshake process



1.3 Solution OverviewPowered by Huawei Kunpeng processors, TaiShan 200 servers provide ultimatecomputing power and concurrent processing capabilities. In high-concurrency webapplications, the multi-core Kunpeng processors and high memory bandwidth canimprove web service performance.

Based on TaiShan 200 servers, the Kunpeng BoostKit for Web provides standardsoftware services based on open source software. This solution supports highconcurrency, multiple web components, and hardware offloading of the RSAalgorithm. It features simple installation and easy O&M, helping you quickly rollout services and reduce O&M costs.

You can download and compile the binary installation package of the webcomponents, deploy web services, and configure software based on theperformance tuning guide to achieve the optimal performance of webcomponents.

The Kunpeng BoostKit for Web targets:

● Enterprise websites● Internet service providers (ISPs)● Internet application enterprises



2 Architecture

The Kunpeng BoostKit for Web complies with open architecture standards andsupports all open source web components. It is suitable for a wide range ofscenarios. Figure 2-1 shows the Kunpeng BoostKit for Web software stack. Table2-1 describes the related components.

Figure 2-1 Kunpeng BoostKit for Web software stack

Table 2-1 Kunpeng BoostKit for Web components

Component Description

Web loadbalancing

Supports Nginx, LVS, and HAProxy.

Web Server Supports Tomcat, Nginx, Apache, Lighttpd, JBoss, andTomEE.

Web cache Supports Memcached, Redis, Squid, and Varnish.

Kunpeng BoostKit for WebTechnical White Paper 2 Architecture


Component Description

Othermiddleware

Supports Dubbo, Spring Cloud, Spring Boot, and SpringFramework.

Commercial websuite

Supports TongWeb, Apusic, InforSuite AS, and BES.

Development/Runtimeenvironment

Supports OpenJDK, BiSheng JDK, .NET Core, and HHVM.

SSL offloading(RSAacceleration)

Offloads RSA2048 computation to the Kunpeng RSAacceleration engine provided by the TaiShan 200 server torelease CPU computing power.

Hardwareplatform

Supports TaiShan 200 servers.

The Kunpeng BoostKit for Web covers web scenarios shown in Figure 2-2.

Figure 2-2 Node architecture in web scenarios

When a client accesses a website over the Internet, the reverse proxy serverprocesses the HTTP/HTTPS request and forwards the request to one or more webservers based on the configured policy. The reverse proxy server functions as aload balancer to implement load balancing of the web servers.

The web servers and application server cooperate with the back-end devices toprocess the web service requests from the client. The final response is returned tothe client through the reverse proxy server.

In actual deployment, you can adjust the components based on the actual accesstraffic and performance analysis. For example, application servers can be deployedin a cluster to greatly improve the processing capability of web services. Deploying



reverse proxy servers or web servers in a cluster can greatly shorten the responsetime of front-end web requests and improve user experience.



3 Advantages

The Kunpeng BoostKit for Web supports all open source web applications. It iseasy to install, deploy, and configure. The multi-core architecture and KAEprovided by Huawei Kunpeng 920 processors deliver excellent high-concurrencyprocessing capabilities. This solution provides the following benefits:

Open EcosystemThe Kunpeng BoostKit for Web supports open source web applications andframeworks developed using languages such as C/C++/C#, Java, Python, Perl, PHP,and Go. In addition, it adapts to commercial web applications such as TongWeb,Apusic, InforSuite AS, and BES. The following open source web applications havebeen ported, tuned, and opened in the Kunpeng community:

● Web load balancing: Nginx, LVS, and HAProxy● Web server: Tomcat, Nginx, Apache, Lighttpd, JBoss, and TomEE● Web cache: Memcached, Redis, Squid, and Varnish

High Performance● The KAE provided by the Huawei Kunpeng 920 processes the RSA2048

asymmetric encryption and decryption algorithms during the HTTPSprocessing, which is formerly processed by CPUs. The KAE delivers 1x higherHTTPS processing performance than software computing. More CPU resourcesare released for service processing.

● The multi-core architecture and multi-core scheduling optimization algorithmbased on Huawei Kunpeng 920 processors significantly improve theperformance of web applications, which feature high concurrency, low latency,and intensive computing.

Ease of UseThe Kunpeng BoostKit for Web provides the following O&M features:

● Easy installation: Porting guides and installation scripts are provided for allweb components.

● Simple performance tuning: Performance tuning guides and scripts areprovided for all web components to maximize the performance of Kunpengprocessors.

Kunpeng BoostKit for WebTechnical White Paper 3 Advantages


Flexible DeploymentThe Kunpeng BoostKit for Web supports all installation and deployment modes inthe industry. It can be deployed on physical machines, virtual machines (VMs), andcontainers to meet various service requirements.

Kunpeng BoostKit for WebTechnical White Paper 3 Advantages


4 Applications

4.1 SSL Offloading

4.2 Nginx Load Balancing

4.3 Nginx Web Server

4.4 Memcached

4.1 SSL OffloadingNginx is used as the unified network access entry, and HTTPS is used for securetransmission.

The KAE provided by the Kunpeng processors of TaiShan 200 servers offloads theprocessing of SSL/TLS encryption and decryption algorithms in HTTPS transmissionscenarios, greatly improving HTTPS processing performance.

This solution accelerates the asymmetric encryption and decryption in the processof SSL/TLS handshakes during HTTPS request processing. As shown in Figure 4-1,Nginx asynchronously invokes the KAE of OpenSSL to implement the acceleration.The RSA2048 algorithm computation during encryption is done in hardware ratherthan by the CPUs. TaiShan 200 servers (model 2280) support 100,000 OPS, asshown in Table 4-1. The KAE provides the OpenSSL API and custom API, whichcan be used by Nginx and user-developed software.

Table 4-1 KAE APIs

Interface Description Typical Application

OpenSSLAPI

The KAE is integrated into OpenSSL as anengine.

Nginx and user-developed software

Custom API The user-mode library is used to invokeuser-developed software.

User-developedsoftware

Kunpeng BoostKit for WebTechnical White Paper 4 Applications


Figure 4-1 RSA encryption and decryption performance improved by the KAE

This solution is implemented by the KAE integrated in Huawei Kunpengprocessors. It provides high performance and features low power consumption.

4.2 Nginx Load BalancingNginx is used as the web reverse proxy or load balancer.

The TaiShan 200 server can function as a web reverse proxy or load balancer. Ituses the multi-core capability of the Kunpeng processors to provide higher webrequest processing and forwarding capabilities.

Generally, reverse proxy and load balancing servers are deployed for largewebsites. Nginx is the most common and high-performance server.

When functioning as a reverse proxy server, the server receives a request from aclient, selects an actual proxied server, forwards the request, and returns aresponse to the client. In this process, the information transmitted between thefollowing nodes needs to be maintained to ensure that the responses can bereturned along the original path: client reverse proxy server and reverseproxy server actual servers. In this way, only the address of the proxy serveris presented to the user, which avoids unnecessary disclosure of all the serveraddresses.

You can configure upstream to implement load balancing when Nginx is used as areverse proxy server. When a request is received, a server from the server clusterconfigured in upstream is selected based on certain policies to process the request.



Figure 4-2 shows the load balancing process. Load balancing allows horizontalexpansion of the service processing capability of the entire system.

Figure 4-2 Nginx acting as a web reverse proxy or load balancer

Using the Kunpeng BoostKit for Web in Nginx load balancing scenarios has thefollowing features:

● Linear scalability

TaiShan 200 servers can be deployed as a reverse proxy cluster or loadbalancing cluster and support linear cluster expansion.

● High performance

Performance tuning can be performed to unleash the advantages of Huaweimulti-core Kunpeng processors to provide higher performance.

4.3 Nginx Web ServerNginx is used as a web server.

Nginx can be deployed as a static resource web server to efficiently process staticresource requests and separate dynamic and static resources. Files that are notdynamically generated by the server are static resources. Static resources includebut not limited to the following:

Category Type

Rendering on thebrowser

HTML, CSS, JS

Image JPEG, GIF, PNG



Category Type

Audio & video FLV, MP4, MP3

File TXT and any downloaded file

You can use the server block in the configuration file to define virtual servers, usethe root pseudo-instruction to specify the root directory for searching for files, anduse the location command to define the matched block. You can also use theindex command to define the index file name (index.html by default), as shownin the following example:

server{ listen 80; server_name localhost;

location/{ root /home/www/html; index index.html index.htm; }

location ~ .*\.(gif|jpg|jpeg|png)${ root /home/www/images/; }

location ~\.(mp3/mp4){ root /home/www/media; } }

Table1 Parameters for configuring Nginx as a web server describes theparameters in the example.

Table 4-2 Parameters for configuring Nginx as a web server

Parameter Description

listen 80; Specifies the port number.

server_name localhost; Specifies the local host.

root /home/www/html; Specifies the access path.

index index.htmlindex.htm;

Specifies the HTML file name.

Nginx is widely used as the web server because of its excellent web requestprocessing performance in high-concurrency scenarios. The TaiShan 200 serversupports deployment of Nginx web server on physical machines and VMs. Themulti-core advantage of Huawei Kunpeng processor can further improve theprocessing performance in high concurrency scenarios. It has great performanceadvantages in HTTP/HTTPS short and persistent connections.



4.4 MemcachedMemcached is used as a web cache server.

Memcached is a free, open-source, high-performance distributed memory objectcaching system. It is an in-memory key-value store for small chunks of arbitrarydata (strings or objects) from results of database calls, API calls, or pagerendering. Memcached is used to cache database query results to reduce thenumber of database access times, which speeds up dynamic web applications andimproves scalability.

Memcached can be deployed on a TaiShan physical server or a VM hosted on aTaiShan server. The multi-core Kunpeng processors and multi-channel memoryfurther improve the Memcached performance.

Memcached is stored in the memory and has almost no drive I/O access.Therefore, the memory access capability has a great impact on the performance.The Huawei Kunpeng processors support 8-channel DDR4 access to deliver highperformance. When large VMs and physical machines are used, the multi-corefeatures of Huawei Kunpeng processors can greatly improve the Memcachedperformance.



5 Networking

The Kunpeng BoostKit for Web has no special requirements on system networking.You can flexibly configure the networking based on web components andapplication scenarios.

Kunpeng BoostKit for WebTechnical White Paper 5 Networking


6 Typical Configurations

TaiShan 200 servers are recommended. The recommended configurations are asfollows:

Item Typical Configuration Description

Server TaiShan 200 server (model2280)

-

CPU 2 x Huawei Kunpeng 920 5220processor

The configuration can be adjustedbased on service specifications andrequirements.

Memory 12 x 16 GB (DDR4, 2933 MHz) The configuration can be adjustedbased on service specifications andrequirements.

Systemdrive

2 x 480 GB SATA SSD Data drives can be added based onservice specifications andrequirements.

RAIDcontroller card

Avago SAS3508 RAID controller cards can beconfigured based on servicerequirements.

NIC 1 x dual-port GE NIC, 2 x dual-port 10GE NIC

The NIC configuration can beadjusted based on the servicespecifications and actualrequirements. Alternatively, you canpurchase 40GE NICs.

In scenarios that have higher performance requirements, use the followingconfigurations:


Server TaiShan 200 server (model2280)

-

Kunpeng BoostKit for WebTechnical White Paper 6 Typical Configurations



CPU 2 x Huawei Kunpeng 9205250 processor


Memory 12 x 32 GB (DDR4, 2933MHz)


Systemdrive

2 x 480 GB SATA SSD Data drives can be added based onservice specifications andrequirements.

RAIDcontrollercard

Avago SAS3508 RAID controller cards can beconfigured based on servicerequirements.

NIC 1 x dual-port GE NIC, 2 xdual-port 10GE NIC

The NIC configuration can be adjustedbased on the service specifications andactual requirements. Alternatively, youcan purchase 40GE NICs.

Kunpeng BoostKit for WebTechnical White Paper 6 Typical Configurations


7 Feature List

Feature

Sub-Feature

FeatureDescription

Constraint Supportfor VMs

Remarks

SSLoffloading

KAERSAencryptionanddecryption

When Nginx isused to processHTTPS requests,enable the SSLmodule to allowthe KunpengRSAaccelerationengine toaccelerate RSA-basedasymmetricencryption anddecryptionduring theSSL/TLShandshakeprocess inHTTPS requestprocessing.

● SupportedOSs: CentOS7.6 andopenEuler20.03 LTSSP1.

● Otherrequirements: AsymmetricencryptionalgorithmRSAsupportssynchronousandasynchronous modes andkey sizes1024, 2048,3072, and4096.

Yes KAE RSAencryptionanddecryptioncan be usedinvirtualizationscenarios.VMs sharethe RSAaccelerationcapability ofthe physicalmachinewhere theVMs arelocated.However,due to theperformancelimitation ofa single VM,the RSAaccelerationcapability ofthe physicalmachinecannot befully utilized.Theperformanceimprovement result

Kunpeng BoostKit for WebTechnical White Paper 7 Feature List


Feature

Sub-Feature

FeatureDescription

Constraint Supportfor VMs

Remarks

depends onthe VMspecifications.

For details about how to enable and use the SSL offloading feature, see KAE RSAEncryption and Decryption Feature Guide.

Kunpeng BoostKit for WebTechnical White Paper 7 Feature List


https://support.huaweicloud.com/intl/en-us/fg-kunpengwebs/kunpengwebs_20_0001.html

https://support.huaweicloud.com/intl/en-us/fg-kunpengwebs/kunpengwebs_20_0001.html

8 Software Compatibility

Visit Compatibility Checker to obtain information about the software supportedby the Kunpeng BoostKit for Web.

Kunpeng BoostKit for WebTechnical White Paper 8 Software Compatibility


https://ic-openlabs.huawei.com/openlab/#/unioncompaty

9 Process

Figure 9-1 Kunpeng BoostKit for Web workflow

Kunpeng BoostKit for WebTechnical White Paper 9 Process


A Change History

Date Description

2021-07-28 This issue is the seventh official release.Updated the flowchart.

2021-05-26 This issue is the sixth official release.Changed the solution name from "HTTPS RSAAcceleration" to "KAE RSA Encryption and Decryption."

2021-03-24 This issue is the fifth official release.Changed the solution name from "Kunpeng Web Solution"to "Kunpeng BoostKit for Web."

2020-12-29 This issue is the fourth official release.

2020-09-21 This issue is the third official release.Changed the solution name from "Kunpeng WebApplication Solution" to "Kunpeng Web Solution."

2020-07-02 This issue is the second official release.

2020-06-10 This issue is the first official release.

Kunpeng BoostKit for WebTechnical White Paper A Change History


technical white paper - huawei cloud

Documents