一、SSL加速卡介紹
官方文檔: https://01.org/intel-quickassist-technology
官方性能報告:https://01.org/sites/default/files/downloads/intelr-quickassist-technology/intelquickassisttechnologyopensslperformance.pdf
官方加速卡介紹:http://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/quickassist-adapter-8950-brief.pdf
Linux安裝使用文檔:https://01.org/sites/default/files/downloads//337020-003-qatwcontaineranddocker.pdf
二、參考安裝文檔使用SSL加速卡
2.1 安裝QAT軟件
(1)百度搜索加速卡型號,獲取QAT驅動程序
(2)安裝QAT驅動程序
export ICP_ROOT=/opt/QAT
mkdir /opt/QAT
cd /opt/QAT
wget https://downloadmirror.intel.com/30178/eng/QAT1.7.L.4.13.0-00009.tar.gz # 第一步官方的驅動程序
tar xf QAT1.7.L.4.13.0-00009.tar.gz
./configure
make -j 40
make install
service qat_service status
cpa_sample_code runTests=2 # 測試QAT驅動程序是否安裝成功
2.2 安裝openssl
git clone https://github.com/openssl/openssl.git
cd openssl/
git checkout OpenSSL_1_1_1 # 我使用最新版本,在后邊編譯其他qat_engine會報錯,應該是QAT_engine還不支持最新版
./config --prefix=/usr/local/ssl -Wl,-rpath,/usr/local/ssl/lib
make -j 40
make install
2.3 安裝QAT_engine
git clone https://github.com/intel/QAT_Engine.git
cd QAT_Engine/qat_contig_mem
make # 我這里會報錯error: dereferencing pointer to incomplete type ‘struct task_struct’,參考:http://www.voidcn.com/article/p-pwrzhtun-em.html 解決
vim qat_contig_mem.c
#include <linux/sched.h> # 添加這條命令,我是在報錯行前一行添加的。
make load
make test
……
Hello world! # 返回信息
……
cd ..
./autogen.sh
./configure --with-qat_hw-dir=/opt/QAT --with-openssl_install_dir=/usr/local/ssl
2.4 安裝QATzip
git clone https://github.com/intel/QATzip.git
cd QATzip/
./configure --with-ICP_ROOT=$ICP_ROOT
make clean
make all install
service qat_service restart
2.5 安裝nginx + qat模塊
git clone https://github.com/intel/asynch_mode_nginx.git
cd asynch_mode_nginx/
./configure --prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf --without-http_rewrite_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-stream --with-stream_ssl_module --add-dynamic-module=modules/nginx_qatzip_module --add-dynamic-module=modules/nginx_qat_module/ --with-cc-opt="-DNGX_SECURE_MEM -I$OPENSSL_LIB/include -I$QZ_ROOT/include -I$ICP_ROOT/quickassist/include -I$ICP_ROOT/quickassist/include/dc -Wno-error=deprecated-declarations" --with-ld-opt="-Wl,-rpath=$OPENSSL_LIB/lib -L$OPENSSL_LIB/lib -L$QZ_ROOT/src -lqatzip -lz"
以上服務都可以參考github或官方加速卡介紹安裝,由於版本原因,后邊可能和我版本不一致等,請參考官網安裝. 包括在./configure make autogen時候都會需要一些依賴包,參考報錯信息百度即可.
2.6 nginx配置
cp /root/QAT_Engine/qat/config/dh895xcc/multi_process_optimized/dh895xcc_dev0.conf /etc # 復制一份配置文件替換老的QAT驅動
service qat_service restart
# nginx 配置文件
events {
worker_connections 102400;
use epoll;
accept_mutex off;
}
ssl_engine {
use_engine qatengine;
default_algorithms RSA,EC,DH,PKEY_CRYPTO;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_sw_fallback on;
}
}
http{
server {
listen 80;
listen 443 ssl backlog=65534 reuseport deferred rcvbuf=8m sndbuf=8m asynch; # 關鍵是添加asynch
server_name test.example.com;
ssl_certificate 證書.pem;
ssl_certificate_key 私鑰.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_session_cache shared:SSL_WS2:500m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
#ssl_async on;
proxy_read_timeout 10;
proxy_send_timeout 10;
proxy_connect_timeout 10;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods HEAD,OPTIONS,GET,POST,PUT,DELETE;
add_header Access-Control-Allow-Headers Content-Type,Server,Date,Content-Length,Cache-Control,Keep-Alive,Connection,X-Requested-With,X-File-Name,Origin,Accept,X-CSRFToken;
add_header Access-Control-Max-Age 1728000;
location / {
expires off;
proxy_cache off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_next_upstream error non_idempotent;
proxy_next_upstream_tries 4;
proxy_next_upstream_timeout 10s;
proxy_pass_header server;
proxy_set_header host $host;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-scheme $scheme;
root /usr/share/nginx/html;
}
}
}
}