Hi Mihir.
On 07/06/2018 10:27, Mihir Shirali wrote:
Hi Team,
We use haproxy to front tls for a large number of endpoints, haproxy
prcesses the TLS session and then forwards the request to the backend
application.
What we have noticed is that if there are a large number of connections
from different clients - the CPU usage goes up significantly. This
primarily because haproxy is handling a lot ofSSL connections. I came
across 2 options above and tested them out.
What do you mean with *large number*?
https://medium.freecodecamp.org/how-we-fine-tuned-haproxy-to-achieve-2-000-000-concurrent-ssl-connections-d017e61a4d27
With maxsslrate - CPU is better controlled and if I combine this with
503 response in the front end I see great results. Is there a
possibility of connection timeout on the client here if there are a
very large number of requests?
With maxsslconn, CPU is still pegged high - and clients receive a tcp
reset. This is also good, because there is no chance of tcp time out on
the client. Clients can retry after a bit and they are aware that the
connection is closed instead of waiting on timeout. However, CPU still
seems pegged high. What is the reason for high CPU on the server here -
Is it because SSL stack is still hit with this setting?
SSL/TLS handling isn't that easy.
Please can you share some more information's, because in the latest
versions of haproxy are a lot optimisation's introduced also for TLS.
haproxy -vv
Anonymized haproxy conf.
--
Regards,
Mihir
Best regards
Aleks
