netstat? Thread dumps?
Test without SSL between haproxy and Tomcat. Monitor Tomcat via non haproxy path (direct curl?) *-Dsun.security.pkcs11.enable-solaris=false* On 22 Jun 2017 9:02 AM, "Igor Cicimov" <ig...@encompasscorporation.com> wrote: > Hi Lukas, > > On 22 Jun 2017 3:02 am, "Lukas Tribus" <lu...@gmx.net> wrote: > > Hello, > > > > Daniel, if using ssl to the backends shouldn't you use http mode? > > Per your config you are using tcp which is default one. Afaik tcp > > is for ssl passthrough. > > For the record, this is not true. Just because you need TCP mode > for TLS passthrough, doesn't mean you have to use HTTP mode when > terminating TLS. > > Actually, terminating TLS while using TCP mode is a quite common > configuration (for example with HTTP/2). > > > Thanks for clarifying this. > > > > > >> Try adding: > >> option httpclose > >> in the backend and see if that helps. > > > > Sorry, replace httpclose with http-server-close > > Actually, I would have suggested the opposite: making the whole > thing less expensive, by going full blown keep-alive with > http-reuse: > > option http-keep-alive > option prefer-last-server > timeout http-keep-alive 30s > http-reuse safe > > > Keep-alive is on by default hence my suggestion to use the opposite. Of > course keep-alive enabled is always better especially in case of ssl. > > > > > > global > > ulimit-n 20000 > > Why specify ulimit? Haproxy will do this for you, you are just > asking for trouble. I suggest you remove this. > > > > Maybe something on your backend (conntrack or the application) > is rate-limiting per IP, or the aggressive client your are facing > is keep-aliving properly with the backend, while it doesn't when > using haproxy. > > > I would apply the keep-alive configurations above and I would > also suggest that you check the CPU load on your backend server > as connections through haproxy become unresponsive, because that > CPU can be saturated due to TLS negotiations as well. > > > That's what the haproxy log shows, the response time from the tomcat > backend is high suggesting something is wrong. Maybe something that you > mentioned above (which makes sesnse), some system settings or if we can see > the tomcat connector settings (and logs possibly) maybe something there is > causing issues. > > > > Regards, > Lukas > > >
