一、SSL加速卡介绍
官方文档: https://01.org/intel-quickassist-technology
官方性能报告:https://01.org/sites/default/files/downloads/intelr-quickassist-technology/intelquickassisttechnologyopensslperformance.pdf
官方加速卡介绍:http://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/quickassist-adapter-8950-brief.pdf
Linux安装使用文档:https://01.org/sites/default/files/downloads//337020-003-qatwcontaineranddocker.pdf
二、参考安装文档使用SSL加速卡
2.1 安装QAT软件
(1)百度搜索加速卡型号,获取QAT驱动程序
(2)安装QAT驱动程序
export ICP_ROOT=/opt/QAT
mkdir /opt/QAT
cd /opt/QAT
wget https://downloadmirror.intel.com/30178/eng/QAT1.7.L.4.13.0-00009.tar.gz # 第一步官方的驱动程序
tar xf QAT1.7.L.4.13.0-00009.tar.gz
./configure
make -j 40
make install
service qat_service status
cpa_sample_code runTests=2 # 测试QAT驱动程序是否安装成功
2.2 安装openssl
git clone https://github.com/openssl/openssl.git
cd openssl/
git checkout OpenSSL_1_1_1 # 我使用最新版本,在后边编译其他qat_engine会报错,应该是QAT_engine还不支持最新版
./config --prefix=/usr/local/ssl -Wl,-rpath,/usr/local/ssl/lib
make -j 40
make install
2.3 安装QAT_engine
git clone https://github.com/intel/QAT_Engine.git
cd QAT_Engine/qat_contig_mem
make # 我这里会报错error: dereferencing pointer to incomplete type ‘struct task_struct’,参考:http://www.voidcn.com/article/p-pwrzhtun-em.html 解决
vim qat_contig_mem.c
#include <linux/sched.h> # 添加这条命令,我是在报错行前一行添加的。
make load
make test
……
Hello world! # 返回信息
……
cd ..
./autogen.sh
./configure --with-qat_hw-dir=/opt/QAT --with-openssl_install_dir=/usr/local/ssl
2.4 安装QATzip
git clone https://github.com/intel/QATzip.git
cd QATzip/
./configure --with-ICP_ROOT=$ICP_ROOT
make clean
make all install
service qat_service restart
2.5 安装nginx + qat模块
git clone https://github.com/intel/asynch_mode_nginx.git
cd asynch_mode_nginx/
./configure --prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf --without-http_rewrite_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-stream --with-stream_ssl_module --add-dynamic-module=modules/nginx_qatzip_module --add-dynamic-module=modules/nginx_qat_module/ --with-cc-opt="-DNGX_SECURE_MEM -I$OPENSSL_LIB/include -I$QZ_ROOT/include -I$ICP_ROOT/quickassist/include -I$ICP_ROOT/quickassist/include/dc -Wno-error=deprecated-declarations" --with-ld-opt="-Wl,-rpath=$OPENSSL_LIB/lib -L$OPENSSL_LIB/lib -L$QZ_ROOT/src -lqatzip -lz"
以上服务都可以参考github或官方加速卡介绍安装,由于版本原因,后边可能和我版本不一致等,请参考官网安装. 包括在./configure make autogen时候都会需要一些依赖包,参考报错信息百度即可.
2.6 nginx配置
cp /root/QAT_Engine/qat/config/dh895xcc/multi_process_optimized/dh895xcc_dev0.conf /etc # 复制一份配置文件替换老的QAT驱动
service qat_service restart
# nginx 配置文件
events {
worker_connections 102400;
use epoll;
accept_mutex off;
}
ssl_engine {
use_engine qatengine;
default_algorithms RSA,EC,DH,PKEY_CRYPTO;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_sw_fallback on;
}
}
http{
server {
listen 80;
listen 443 ssl backlog=65534 reuseport deferred rcvbuf=8m sndbuf=8m asynch; # 关键是添加asynch
server_name test.example.com;
ssl_certificate 证书.pem;
ssl_certificate_key 私钥.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_session_cache shared:SSL_WS2:500m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
#ssl_async on;
proxy_read_timeout 10;
proxy_send_timeout 10;
proxy_connect_timeout 10;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods HEAD,OPTIONS,GET,POST,PUT,DELETE;
add_header Access-Control-Allow-Headers Content-Type,Server,Date,Content-Length,Cache-Control,Keep-Alive,Connection,X-Requested-With,X-File-Name,Origin,Accept,X-CSRFToken;
add_header Access-Control-Max-Age 1728000;
location / {
expires off;
proxy_cache off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_next_upstream error non_idempotent;
proxy_next_upstream_tries 4;
proxy_next_upstream_timeout 10s;
proxy_pass_header server;
proxy_set_header host $host;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-scheme $scheme;
root /usr/share/nginx/html;
}
}
}
}