Slow first connection from quarkus.io website in freshly opened browser #49
Comments
|
The main problem seems to be TLS setup. Initial connection is slow as well, but less exceptionally so. FirefoxTLS handling takes 700ms!
ChromeCouldn't really reproduce; the first connection is indeed slow, but TLS handling is nowhere near as slow as what I experienced on Firefox.
|
|
I can take a look, but can you give a bit more details ? Clicking on https://search-quarkus-io-dev-search-quarkus-io.apps.ospo-osci.z3b1.p1.openshiftapps.com/?q=orm is quite fast from here (I am in the office in Paris, using firefox), I can try again once I am at home, but I want to verify that I am not testing the wrong link or the wrong way. It could be that the pair of HAproxy got restarted after upgrade and there is some initial cache to fill (not familliar with haproxy but that's a reasonable guess). As you are likely the only user of the dev application, you would have been the 1st one to hit that. We upgrade next on the 21th, so if it slow again, I guess that's just it. |
|
Maybe we wait until we have a production environment set up and have a look then. I wouldn't want to waste your time on a problem that turns out to be specific to this environment or to slow ADSL connections like mine...
The thing is, the problem only occurs on the first connection that involves TLS setup; after that there's some cache or keep-alive that makes it all faster. So if you click, then open the console and reload, you won't see it. I'd recommend using a freshly started browser, opening a blank tab, opening the dev console (F12) and then copy-pasting the URL into the address bar and pressing enter. Alternatively, wait a few minutes between attempts. When on Chrome, you don't necessarily have to reset the browser, you can go to chrome://net-internals#sockets and click "Close idle sockets" between attempts. But I couldn't really reproduce this problem on Chrome, so...
Might be just that, yes. Let's hope so. We had this problem a few days ago, too... would that match your upgrade schedule?
I'm at home with an ADSL connection, so admittedly everything is kind of slow and latency can get ghastly. But as you can see from my comment above, the TLS setup can get much slower than the rest. However, I just tried again, multiple times, and could not get something as slow as in my comment above. TLS handling tops out at ~200ms. Others seem to have experienced this, though. Like @michelle-purcell, though I'm not sure what her connection was exactly. We suspect being connected to company VPN was part of the issue for her, but then that's just a guess (I noticed surge.sh, where the app using the REST API is hosted, wasn't reacheable when on VPN, so that's weird). |
|
We had to raise timeouts because network had high latency even beyond the first connection, so this is no longer really relevant. I'll close, let's reopen if it becomes significant again. |
|
Reopening as I saw mentions of slowness again on #320 , but I don't have the details -- I think most of it was discussed privately between Marko and Guillaume, who would know more?
This led me to the following suggestion:
Which turned out to be stupid:
So from what I gather, the slowness happens:
My questions would be:
@gsmet when you have some time, any info would help. Thanks |
|
So the error was due to the local search being broken (that's what Marko fixed). As for what I get with the first connection, here it is (I typed
|
|
I dunno what the The DNS part + TLS setup is very slow. The DNS part could be due to low TTL. From what I can see search.quarkus.io has a TTL of 1 hour but... the host behind the alias has a TTL of 60 seconds - which could be explained by the dynamic nature of OpenShift hosting. As for the TLS setup, I dunno why it's so slow - if it could be related to the TTL too or if it's something different that makes it slow. I'm wondering if we should host this thing behind CloudFlare or similar - ideally with a ping query every 50s to make sure the DNS stays in cache (but I'm not sure if this can be done). |
|
CloudFlare has a free plan that maybe we should explore. It looks sufficient for us and they tend to be very nice. Now that means putting the entire domain (I tried with a subdomain) behind CloudFlare and handling our DNS there. Or use another domain. |
That's a nice idea, but just to clarify that's for the DNS part only, right? It doesn't get rid of the TLS setup problem, since we need communication between Cloudflare and the app to be secure as well... Unless I misunderstand how it all works.
🤷 fine by me, but then I'm not the one dealing with the domain setup, so I'm hardly the one to convince. |
|
We discussed a bit by mail, and before starting to a maybe painful move of DNS, I would suggest to add a search2.quarkus.io route and hardocde the current IP with a TTL of a few hours instead of a CNAME. This would remove the elb DNS resolution from the equation and allow a test without disrupting anyone. But in the end, I think the biggest problem is that the containers are running on a Openshift cluster in Oregon. |
|
I asked my boss to test from San Francisco, and indeed, that's much better (DNS was 0, I didn't search more, assuming some local DNS cache): So this kinda show that the latency is caused by the cluster being in Oregon. One idea could be to have reverse proxies (like varnish) in DC closer to users (for example, one in Europe). The proxy could keep a pool of persistent connection to the backend, thus saving the DNS resolution time and TLS setup, as it would be done before the 1st request. And since it would be closer to some users, the round trip for initial connection would be faster, saving ~400ms. |
I just gave it a try but I failed to find information on how to configure that on the web; routes targeting IPs directly don't seem a common use case. Should I set up a LoadBalancer service with a FWIW the configuration is there: https://console-openshift-console.apps.ospo-osci.z3b1.p1.openshiftapps.com/k8s/ns/prod-search-quarkus-io/route.openshift.io~v1~Route
Alternatively, considering this seems to affect the first request only... and this may be dumb, but hear me out... we send a dummy request (HEAD?) from the client to the search service in the background, when the quarkus.io page opens. Which should be relatively safe, since https://quarkus.io/guides is pretty much useless without search, so people ending up there will necessarily use the search service. |
Ooooh I just discovered this (yes I'm illiterate in HTML): https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/preconnect . I'll send a PR to try to use it on quarkus.io. |
I was more thinking on adding a 2nd route in the namespace with the new vhost, and add a new DNS that directly resolve to the IP (a A record instead of a CNAME). I do not think we can directly set a route object that answer to the IP (you would need a ingree object, I think ?). |
Done: quarkusio/quarkusio.github.io#2104
Ok; I'll need someone else to create that DNS record because I don't have control over the DNS. FWIW we also have a staging env where we don't use an external DNS: https://search-quarkus-io-dev-search-quarkus-io.apps.ospo-osci.z3b1.p1.openshiftapps.com/api/guides/search?q=hiber |
I opened #324 to try to reduce the "waiting" time. |
FWIW we made some progress on the waiting part in #324, here's where we're standing right now (same search,
Notes:
|
See also #324 (comment), I suspect some (all?) of the improvement actually results from OpenSearch being redeployed on a node that favors performance (either better hardware, less noise from containers on the same node, or just a node closer to the app). |
It seems that on the very first search in a freshly opened browser, the call to the search endpoint times out... I suspect some cached operation (SSL certificate retrieval?) is way too slow on our current staging environment.
See https://quarkus-website-pr-1825-preview.surge.sh/guides/ , or hit the app directly at https://search-quarkus-io-dev-search-quarkus-io.apps.ospo-osci.z3b1.p1.openshiftapps.com/?q=orm
Also, I just plain can't reach https://quarkus-website-pr-1825-preview.surge.sh/guides/ when I'm on company VPN, so... there's that -_-
The text was updated successfully, but these errors were encountered: