HAProxy version 1.4.18
stunnel 4.44 with X-Forwarded-For patch
Ubuntu 10.04.3 LTS
Web servers running IIS 7 on Windows Server 2008
We have been doing some performance testing. We do a "typical page load"
using curl and a list of 29 URL's (an html file along with associated
scripts, css, images, etc.). We run this 200 times to get a good data
sample and try to smooth out any variances. We run one test pass against
the IIS servers directly and then another pass against HAProxy in front
of the same IIS servers.
We have run this test against a configuration setup in our own private
cloud, hosted in an enterprise-grade facility and we also ran it against
an HAProxy/IIS configuration setup in Amazon EC2. In both scenarios, we
ran the tests from multiple locations, over multiple ISP's. We also
always ran one test that was local to the servers.
The local test showed a very small (and more than acceptable) overhead
of 7ms for the entire page load (all 29 requests) when going through
HAProxy. However, tests from longer distances over various IP's showed
an overhead that seemed to be proportional to the amount of latency in
the connection. Typical overhead times we are seeing from various
locations (both from enterprise and consumer grade connections) are
around 200-400ms.
When the test is run locally, we see a 7ms increase in page load times.
We expect that is the native overhead of proxying the requests in our
configuration. What doesn't make sense, is that the overhead seems to
increase when run over a wan. Since the 7ms is only added to the end of
the pipe, it seems like it should always be roughly 7ms, even if the
rest of the time is increased by a higher latency connection.
We have run the tests many, many times and have been getting consistent
results. HAProxy is always slower than direct. Not unexpected, but the
proportionality of the overhead to connection latency is unexepected. We
would expect the overhead attributable to HAProxy to be a static number.
Anyone have any thoughts? Is our expectation of static overhead not
warranted (we are not network engineers)? Or could there be some other
factors at play? I've pasted our haproxy.conf below. Thanks in advance
for any thoughts.
NOTE: I only mention stunnel in my config at the top so aspects of the
config below will make sense. However, all tests are via regular HTTP,
no encryption, so stunnel is not a factor at all in these tests.
global
daemon
maxconn 16384
user nobody
chroot /usr/local/etc/haproxy/
pidfile /usr/local/etc/haproxy/haproxy.pid
stats socket /tmp/haproxy
defaults
mode http
option redispatch
timeout connect 5s
timeout client 50s
timeout server 50s
timeout check 5s
balance roundrobin
option forwardfor except 127.0.0.1
errorfile 503 /usr/local/etc/haproxy/503.http
frontend http-in
bind :80,:8443
default_backend servers
acl from_stunnel dst_port eq 8443
reqadd X-TRC-SSL:\ Yes if from_stunnel
reqadd X-From-HAProxy:\ Yes
backend servers
option httpchk HEAD /default.asp HTTP/1.0
option log-health-checks
server SMFWEB001 10.129.32.50:80 maxconn 8192 check port 80 inter 2000
server SMFWEB002 10.129.32.51:80 maxconn 8192 check port 80 inter 2000
listen stats :1936
mode http
stats enable
stats uri /
---
David Prothero
I.T. Director
Pharmacist's Letter / Prescriber's Letter
Natural Medicines Comprehensive Database
Ident-A-Drug / www.therapeuticresearch.com
(209) 472-2240 x231
(209) 472-2249 (fax)
