> Hi all, > > haproxy is used for http and https load balancing with TLS termination > on haproxy side. > > I'm using openbsd -stable on this box. I got CPU saturated with > 250Mbps traffic in/out summary on frontend NICs and 3000 ESTABLISHED > connections on frontent interface to haproxy.
Remove: option http-server-close timeout http-keep-alive 1s and replace them with: option http-keep-alive option prefer-last-server timeout http-keep-alive 10s This will enable keep-alive mode with 10 seconds timeout, that should decrease the CPU load by an order of magnitude. The problem with this SSL/TLS terminating setups is the cost involved in the SSL/TLS handshake (the actual throughput doesn't really matter). Also, I suggest to remove the "no-tls-tickets" option, so that your clients can use both SSL sessions and TLS tickets to resume a SSL/TLS session without starting a full handshake. Lukas