Hi, Thierry.
our case is like this: we put a haproxy as ssl termination. and haproxy got
the https requirement. and then go throught SSL ternimation. and then forward
the request to web (by HTTP), also, get the Http request and encrypt it, and
return HTTPS to client.
thanks
Mike
At 2017-12-19 19:25:09, "Thierry Fournier" <thierry.fourn...@arpalert.org>
wrote:
>Hi,
>
>What kind of job ?
>
>Thierry
>
>> On 19 Dec 2017, at 12:17, hongw...@163.com wrote:
>>
>> Hi,Thierry
>>
>> got it. Thanks!
>>
>> By the way, may I ask the ssl termination is best solution for this kind of
>> job?
>>
>>
>> Many thanks
>>
>> Mike
>>
>>
>>
>> -------- 原始邮件 --------
>> 主题:Re: Haproxy SSl Termination performance issue
>> 发件人:Thierry Fournier
>> 收件人:Mike G
>> 抄送:Haproxy
>>
>>
>> Hi,
>>
>> I gues that 130 is 130 SSL requests per seconds ?
>>
>> SSL is a very heavy processing. The 4096 bits certificates consume more
>> CPU that 2048 (thanks captain obvious). Your capacity processing is
>> capped by your CPU. You must check the CPU of your server during your
>> test. If the CPU consummation is 100%, you reach the limit of your server.
>>
>> If you reach the limit of one CPU (nbproc), you can use more CPU and/or more
>> servers.
>>
>> Thierry
>>
>>
>> > On 19 Dec 2017, at 08:36, Mike G wrote:
>> >
>> > Hi, everyone.
>> >
>> > I just got a problem about the haproxy ssl termination performance issues.
>> > we have a case which want to use SSL Termination. so, we did some testing
>> > before online, I know the virtual machine will not good choice, but it
>> > make feel so supriose the cur link can be more than 130 when I use 4096
>> > key.
>> > here's my configuration about the haproxy:
>> >
>> > haproxy as SSL termination layer before web server.
>> > the haproxy version is 1.8.1
>> > I compile it by myself:
>> > use the parameter:
>> > make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
>> >
>> > also, I use download openssl 1.0.2n from openssl.org, and compile by those
>> > parameters:
>> > ./config -d zlib
>> >
>> > after install openssl and haproxy.
>> > here's my configuration about the haproxy:
>> > global
>> > log 127.0.0.1 local0
>> >
>> > chroot /var/lib/haproxy
>> > pidfile /var/run/haproxy.pid
>> > maxconn 65535
>> > group haproxy
>> > user haproxy
>> > daemon
>> > nbproc 1
>> >
>> > stats socket /var/lib/haproxy/stats
>> > tune.ssl.default-dh-param 2048
>> >
>> > defaults
>> > mode http
>> > log global
>> > option redispatch
>> > option abortonclose
>> > log 127.0.0.1 local0
>> > retries 3
>> > maxconn 65535
>> > timeout connect 10s
>> > timeout client 1m
>> > timeout queue 1m
>> > timeout http-request 30s
>> > timeout server 1m
>> > timeout check 5s
>> >
>> > listen admin_stats
>> > bind 0.0.0.0:20123
>> > maxconn 10
>> > stats refresh 10s
>> > stats uri /web/status
>> > stats auth admin:1
>> > stats hide-version
>> >
>> >
>> > frontend localhost
>> > bind *:80
>> > bind *:443 ssl crt /etc/ssl/web-zhengshu.pem
>> > option httpclose
>> > mode http
>> > default_backend nodes
>> >
>> > backend nodes
>> > mode http
>> > balance roundrobin
>> > option forwardfor
>> > option httpchk GET /check.html
>> > server web01 127.0.0.1:8080 check
>> > http-request set-header X-Forwarded-Port %[dst_port]
>> > http-request add-header X-Forwarded-Proto https if { ssl_fc }
>> >
>> >
>> > note: about the option httpclose, I make it for purpose.
>> >
>> > also, I use vegeta for test.
>> > here's the testing command line:
>> > echo "GET https://10.77.77.215/check.html"; | ./vegeta.vegeta -cpus=8
>> > attack -duration=90s -rate=800 -insecure | tee reports.bin |
>> > ./vegeta.vegeta report
>> >
>> > I found the cpu is get more than 90% usage very soon. but the haproxy
>> > status picture like in attachment.
>> >
>> > the max links is less than 130 around.
>> >
>> > but when I changed the ssl certication file back to 2048, it will be
>> > increase to around 800.
>> >
>> > is there anyone can help me about how to improve the haproxy ssl
>> > termination performance?
>> >
>> >
>> > Many thanks
>> >
>> >
>> > Mike
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
