Is Apache good for IPfire gateway? What about Lighttpd?

I noted that my gateway with IPfire has serious performance issue when users in local network download big files over https, like Ubuntu iso image; IPfire is busy with this task, so busy that I cannot access web interface.

I was playing with this issue and I noticed that Apache is web server of IPfire. My experience with low end hardware is that Lighttpd is noticeably faster and requires less resources. There are many discussions on the web on this topic, what is the best web server. Apache is well known, it is default in many distributions, Lighttpd is known that it requires less resources and is really fast when it serves static pages.

performance comparison

Is there any reason why Apache is used by IPfire? Was there any test on performance? Could Lighttpd replace Apache in IPfire gateway? I think that Apache was used by IPcop too but I do not remember I ever noticed performance issue I see with IPfire; my IPfire runs on better hardware then my old IPcop was running…

One bottleneck of IPfire is script getrrdimage.cgi, it can consume a lof of CPU power when large file is downloaded by users…

I just tried to reproduce that effect and was not able to.
I just downloaded an ubuntu iso (5G), and Arch Linux iso (0.8G) and an IPFire iso (0.4G) at the same time.

I was able to continue using the IPFire Web User Interface (WUI) during the whole download process. I saw no additional delay to my browsing through the various menus of IPFire compared to when no downloads were occurring.

My hardware is a Lightning Wire Labs Mini Appliance which is using an APU4d board.

I have IPS and IP Blocking enabled and running on the system. The Web Proxy is enabled but not URL Filter or Update Accelerator.

I think you must have some other issue than Apache itself causing your slowdown.

Are you using URL Filter and/or Update Accelerator.

What happens if you disable the Web Proxy while running the test.


My gateway runs transparent proxy and update accelerator, URL filter is not enabled. The downloaded big file is served over https, like this Ubuntu iso; I download it with wget and I even tried to run two or three instances in the same time. My internet connectivity is VDSL 100/20, in real it is just 60/18… CPU in gateway is AMD G-T44R, it has 4 GB of RAM (RAM is not problem here), network cards are Realtek Gigabit. Old IPcop 1.4.21 was running on VIA C3 700 MHz (PIII like) with 512MB SDRAM and Realtek 100M Ethernet cards; I didn’t have this kind of issue but I was not able to download faster then 40Mbps…

Few screenshots, you can see that getrrdimage.cgi is CPU hungry. I am not sure what is trigger, maybe I have to be logged to the gateway and some web page has to be opened, maybe QoS. The first time I was hit by this issue, QoS was not active, I activated it in hope that it will address this issue with big files.

IPfire is “idle”, just for a reference.

IPfire is “busy” Ubuntu iso is downloaded:

IPfire is really busy (it survived, but load is deadly high). I am not sure why so many getrrdimage.cgi processes were running. Maybe I was connected from two computers, maybe there were several connections from notebook or desktop to IPfire admin interface…

I am running conventional mode proxy, both update accelerator and url filter are not enabled.

Transparent proxy won’t do anything with https files anyway. Try it again with non-transparent mode.

Previously I downloaded the files via the browser. This time I used wget. (Unless you have changed the wget configuration file the default is not to use a proxy).

No problems with the download. Could access the WUI.
top showed no real difference in the cpu % between downloading and idle.

top screen in Idle mode

top screen in Download mode

Here is my fireinfo link

My internet connectivity is Fibre To The House 1000/1000

With my Mini Appliance and with the IPS turned on but with QoS not enabled I end up getting around 200/100.

Are you using the IPS? If yes then maybe try with it disabled. Maybe you have a rule selected that doesn’t like wget traffic.

Those are the only two approaches I can think of at he moment, Disable the Web Proxy/Update Accelerator and disable the IPS and see if either/both help.

My IPS is not enabled. I do not think there is a difference between browser download and wget, I use wget because I can script it (download in a loop). I first notice this issue when I was downloading big files from Gdrive, with web browser.

There is a difference between our systems, my gateway is about 50 EUR (refurbished hardware) and your is about 460 EUR and has about 5 times more processing power and better, modern hardware, better network cards, encryption coprocessor. It is easy to just say, let buy better hardware but this gateway is critical infrastructure, so I would like to have two or better three such systems; one is production, second one is for test and third one is just a backup hardware, so that is an expensive hobby… :wink:

My low end hardware is just better to highlight weak points. One question I have is why RRD graphs are generated dynamically. Why not to generate them just from time to time, like once a minute, and store them as static images those are served by web server. I assume these are generated dynamically because I captured so many getrrdimage.cgi processes two days ago and I capture only 2 of them today. Or maybe a semaphore is needed to control that new process is not started before old process is finished…

Update. I was wrong, I have IPS enabled on red interface, GPL rules are in action …

This was an improvement request that was regularly flagged up in the forum as people found that it took ages to show any effect from changing things.

Yes, that will be a bit limiting. It only has one core with only one thread and was released in 2010.

With only one core then the traffic from all network interfaces will go through that same core, whereas with multiple cores IPFire is able to distribute the network traffic across multiple cores, so your network traffic performance will also have some limitations in speed.

1 Like

For this task apache is not used. squid is the webproxy that may handle the http and https connections if the proxy is enabled, if it is disabled http/s is routed by the linux network stack.

Only the webgui is delivered by apache.


I addressed this issue. I lowered internet connectivity speed… :wink: It will save me some budget. I downgraded from 100/20 to 50/10 (VDSL2).

I disabled QoS on IPfire. Download speed increased from 30 to 35 mbps.

I am surprised that my downlink is only 35mbps. I had this speed with old IPcop and I assumed that I was limited by old hardware. With IPfire I had about 65/20 but after downgrade, I have only 35/10; I expected I will have 50/10. This is still in range of ISP definition of the service but I see that ISP artificially slows down the link, it can be 50/10 (because it was 65/20 few hours ago)… :frowning: