On 11/14/2014 11:09 AM, Shawn Heisey wrote: > I have a co-worker that is concerned with the idea of moving SSL > termination to haproxy, rather than using LVS to NAT the SSL to back end > servers directly. It would be handled by one machine, with > corosync/pacemaker providing responsive failover to a redundant host.
I got a reply off-list: On 11/14/2014 1:43 PM, Malcolm Turnbull wrote: > I would say 100 to 200 TPS would be your sensible maximum - 300 would > kill the box: > http://blog.loadbalancer.org/ssl-offload-testing/ > > You can just use apache bench for load testing. Looking at that URL, a similar CPU to mine, but a little faster, Intel(R) Celeron(R) CPU 440 @ 2.00GHz, shows a termination rate of over 300 per second. My CPU is 1.8 Ghz. Another difference is that I have 2048 bit certificate, the test was 1024 bit. By sampling our http logs on one of our busier sites, I have concluded that our request rate is very likely below 100 per second, so I suspect that this server will easily handle our traffic, especially if we use http for the back end and make sure keepalive is enabled. Right now most of our traffic is unencrypted, so if we migrate everything to SSL, we probably will want upgraded load balancer hardware. Thanks, Shawn
