Hi Lukas, Pavlos, Thanks for your response, more info as requested.
1. Attached conf with some obfuscation
2. Haproxy -vv
HA-Proxy version 1.5.4 2014/09/02
Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
3. uname -a
Linux avl-www10.dc.egnyte.lan 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[sshetty@avl-www10 haproxy_l1_sync]$
4. rfc5077-client seems ok
[✔] Prepare tests.
[✔] Run tests without use of tickets.
[✔] Display result set:
│ IP address │ Try │ Cipher │ Reuse
│ SSL Session ID │ Master key │ Ticket │ Answer
│
───────────────────────────────┼─────┼───────────────────────┼───────┼─────
────────────────┼─────────────────────┼────────┼───────────────────
│ 208.83.105.14 │ 0 │ ECDHE-RSA-AES256-SHA │ ✘
│ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK
│ 208.83.105.14 │ 1 │ ECDHE-RSA-AES256-SHA │ ✔
│ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK
│ 208.83.105.14 │ 2 │ ECDHE-RSA-AES256-SHA │ ✔
│ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK
│ 208.83.105.14 │ 3 │ ECDHE-RSA-AES256-SHA │ ✔
│ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK
│ 208.83.105.14 │ 4 │ ECDHE-RSA-AES256-SHA │ ✔
│ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK
[✔] Dump results to file.
[✔] Run tests with use of tickets.
[✔] Display result set:
│ IP address │ Try │ Cipher │ Reuse
│ SSL Session ID │ Master key │ Ticket │ Answer
│
───────────────────────────────┼─────┼───────────────────────┼───────┼─────
────────────────┼─────────────────────┼────────┼───────────────────
│ 208.83.105.14 │ 0 │ ECDHE-RSA-AES256-SHA │ ✘
│ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK
│ 208.83.105.14 │ 1 │ ECDHE-RSA-AES256-SHA │ ✔
│ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK
│ 208.83.105.14 │ 2 │ ECDHE-RSA-AES256-SHA │ ✔
│ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK
│ 208.83.105.14 │ 3 │ ECDHE-RSA-AES256-SHA │ ✔
│ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK
│ 208.83.105.14 │ 4 │ ECDHE-RSA-AES256-SHA │ ✔
│ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK
[✔] Dump results to file.
On 4/5/16, 12:14 AM, "Lukas Tribus" <lu...@gmx.net> wrote:
>Hi Sachin,
>
>
>(due to email troubles on my side this may look like a new thread, sorry
>about that)
>
>
> > We have quite a few regex and acls in our config, is there a way to
>profile
> > haproxy and see what could be slowing it down?
>
>You can use strace for syscalls or ltrace for library calls to see if
>something
>in particular shows up, but perf may be the better tool for this job (I
>never
>used it though).
>
>
>Like Pavlos said, lets collect some basic informations first:
>
>- haproxy -vv output
>- uname -a
>- configuration (replace proprietary informations but leave everything
>else intact)
>- does TLS resumption correctly work? Check with rfc5077-client:
>
>git clone https://github.com/vincentbernat/rfc5077.git
>cd rfc5077
>make rfc5077-client
>
>
>./rfc5077-client <server>
>
>
>
>There's a chance that it is SSL/TLS related.
>
>
>
>Regards,
>
>Lukas
>
haproxy.sync.conf
Description: Binary data
