On 28/07/2014 11:54 πμ, Apollon Oikonomopoulos wrote: > Hi Willy, > > On 19:28 Fri 25 Jul , Willy Tarreau wrote: >> >> Concerning the new features, no promises, but we know that we need to >> progress in the following areas : >> >> - multi-process : better synchronization of stats and health checks, >> and find a way to support peers in this mode. I'm still thinking a >> lot that due to the arrival of latency monsters that are SSL and >> compression, we could benefit from having a thread-based architecture >> so that we could migrate tasks to another CPU when they're going to >> take a lot of time. The issue I'm seeing with threads is that >> currently the code is highly dependent on being alone to modify any >> data. Eg: a server state is consistent between entering and leaving >> a health check function. We don't want to start adding huge mutexes >> everywhere. > > How about using shared memory segments for stats, health checks and > peers? > >> >> If anyone has any comment / question / suggestion, as usual feel free to >> keep the discussion going on. > > Could I also add shared SSL session cache over multiple boxes (like > stud), to aid SSL scalability behind LVS directors? It has been asked > for before in the mailing list if I recall correctly. >
A bit off topic but sometimes tunning the cipher suite reduces the CPU cost of encryption. Today, I managed to save 5% CPU by moving to ECDHE cipher suite, see https://db.tt/N9auU9cg. I just recompiled HAProxy against openSSL 1.0.1 where ECDHE is available and the default cipher changed from DHE to ECDHE, which is a CPU intensive cipher set but still much better than DHE. I have to mention that the server uses Intel and OpenSSL Intel AES-NI engine is enabled by default as openSSL 1.0.1 can detect processors that support AES-NI. Cheers, Pavlos
signature.asc
Description: OpenPGP digital signature