Hi Lukas, Pavlos, Thanks for your response, more info as requested.
1. Attached conf with some obfuscation 2. Haproxy -vv HA-Proxy version 1.5.4 2014/09/02 Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. 3. uname -a Linux avl-www10.dc.egnyte.lan 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [sshetty@avl-www10 haproxy_l1_sync]$ 4. rfc5077-client seems ok [✔] Prepare tests. [✔] Run tests without use of tickets. [✔] Display result set: │ IP address │ Try │ Cipher │ Reuse │ SSL Session ID │ Master key │ Ticket │ Answer │ ───────────────────────────────┼─────┼───────────────────────┼───────┼───── ────────────────┼─────────────────────┼────────┼─────────────────── │ 208.83.105.14 │ 0 │ ECDHE-RSA-AES256-SHA │ ✘ │ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK │ 208.83.105.14 │ 1 │ ECDHE-RSA-AES256-SHA │ ✔ │ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK │ 208.83.105.14 │ 2 │ ECDHE-RSA-AES256-SHA │ ✔ │ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK │ 208.83.105.14 │ 3 │ ECDHE-RSA-AES256-SHA │ ✔ │ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK │ 208.83.105.14 │ 4 │ ECDHE-RSA-AES256-SHA │ ✔ │ 40A2D3E903C2457551… │ B4A08BB73457356AA2… │ ✘ │ HTTP/1.1 200 OK [✔] Dump results to file. [✔] Run tests with use of tickets. [✔] Display result set: │ IP address │ Try │ Cipher │ Reuse │ SSL Session ID │ Master key │ Ticket │ Answer │ ───────────────────────────────┼─────┼───────────────────────┼───────┼───── ────────────────┼─────────────────────┼────────┼─────────────────── │ 208.83.105.14 │ 0 │ ECDHE-RSA-AES256-SHA │ ✘ │ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK │ 208.83.105.14 │ 1 │ ECDHE-RSA-AES256-SHA │ ✔ │ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK │ 208.83.105.14 │ 2 │ ECDHE-RSA-AES256-SHA │ ✔ │ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK │ 208.83.105.14 │ 3 │ ECDHE-RSA-AES256-SHA │ ✔ │ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK │ 208.83.105.14 │ 4 │ ECDHE-RSA-AES256-SHA │ ✔ │ E4559330FD100E69F5… │ 05F768F5574FD27E88… │ ✔ │ HTTP/1.1 200 OK [✔] Dump results to file. On 4/5/16, 12:14 AM, "Lukas Tribus" <lu...@gmx.net> wrote: >Hi Sachin, > > >(due to email troubles on my side this may look like a new thread, sorry >about that) > > > > We have quite a few regex and acls in our config, is there a way to >profile > > haproxy and see what could be slowing it down? > >You can use strace for syscalls or ltrace for library calls to see if >something >in particular shows up, but perf may be the better tool for this job (I >never >used it though). > > >Like Pavlos said, lets collect some basic informations first: > >- haproxy -vv output >- uname -a >- configuration (replace proprietary informations but leave everything >else intact) >- does TLS resumption correctly work? Check with rfc5077-client: > >git clone https://github.com/vincentbernat/rfc5077.git >cd rfc5077 >make rfc5077-client > > >./rfc5077-client <server> > > > >There's a chance that it is SSL/TLS related. > > > >Regards, > >Lukas >
haproxy.sync.conf
Description: Binary data