I've been testing ssl with version 1.5.14 and 1.6.3. I noticed that with larger files (1mb) reqs/sec is on average 7% slower and as much as 16% depending on the cipher when using version 1.6.3 compared to 1.5.14. Smaller requests (4k files) are not affected. Haproxy is using the exact same config for each version and is using nginx on localhost to serve the static files. We're getting our stats from running wrk benchmark tool which is running from another server with the same hardware spec which is connected on the same switch. Any ideas what may be causing this?
I have the 'haproxy -vv' output and hardware specs listed below. Also attaching the haproxy/nginx configs being used. Other then that version 1.6.3 seems to be preforming well on smaller requests. Its the larger requests we're worried about as thats the size of the majority of the traffic we want on ssl. -gary == gary:~/scripts$ ./haproxy-1.5.14 -vv HA-Proxy version 1.5.14 2015/07/02 Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_TFO=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3.4 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.12 2011-01-15 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. == gary:~/scripts$ ./haproxy-1.6.3 -vv HA-Proxy version 1.6.3 2015/12/25 Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_TFO=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3.4 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.12 2011-01-15 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built without Lua support Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. == gary@:~/scripts$ sudo facter processorcount processor0 physicalprocessorcount bond0_speed eth0_speed eth3_speed memorysize lsbdistdescription kernelrelease bond0_speed => 20000 eth0_speed => 10000 eth3_speed => 10000 kernelrelease => 3.2.0-94-generic lsbdistdescription => Ubuntu 12.04.5 LTS memorysize => 31.39 GB physicalprocessorcount => 2 processor0 => Intel(R) Xeon(R) CPU E5-2650L v2 @ 1.70GHz processorcount => 40
nginx.conf
Description: Binary data
haproxyssl.conf
Description: Binary data