Hi Alexander, I have looked at the link. What I am looking for is an answer to the difference between maxsslconn and maxsslrate. The former does not result in CPU savings while the latter does. Again the former does result in large number of tcp connection resets while the latter does not. What I'd like to know and understand is why that is the case. I am using nbproc set to 2.
On Thu, Jun 7, 2018 at 2:43 PM, Aleksandar Lazic <al-hapr...@none.at> wrote: > On 07/06/2018 14:30, Mihir Shirali wrote: > >> We have a large number of ip phones connecting to this port. They could >> be as large as 80k. They request for a file from a custom >> application. haproxy front ends the tls connection and then forwards >> the request to the application's http port. >> > > Have you take a look into the link below for some tunings for the system > and haproxy. > > HA-Proxy version 1.8.8 2018/04/19 >> Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org> >> > > [snipp] > > Any change to update to 1.8.9? > > Thanks can you also send the "Anonymized haproxy conf". > The main questions are do you use thread and or nbprocs? > This will be answered by the conf > > Best regards > aleks > > > On Thu, Jun 7, 2018 at 2:13 PM, Aleksandar Lazic <al-hapr...@none.at> >> wrote: >> >> Hi Mihir. >>> >>> On 07/06/2018 10:27, Mihir Shirali wrote: >>> >>> Hi Team, >>>> >>>> We use haproxy to front tls for a large number of endpoints, haproxy >>>> prcesses the TLS session and then forwards the request to the backend >>>> application. >>>> >>>> What we have noticed is that if there are a large number of connections >>>> from different clients - the CPU usage goes up significantly. This >>>> primarily because haproxy is handling a lot ofSSL connections. I came >>>> across 2 options above and tested them out. >>>> >>>> >>> What do you mean with *large number*? >>> >>> https://medium.freecodecamp.org/how-we-fine-tuned-haproxy-to >>> -achieve-2-000-000-concurrent-ssl-connections-d017e61a4d27 >>> >>> With maxsslrate - CPU is better controlled and if I combine this with >>> >>>> 503 response in the front end I see great results. Is there a >>>> possibility of connection timeout on the client here if there are a >>>> very large number of requests? >>>> >>>> With maxsslconn, CPU is still pegged high - and clients receive a tcp >>>> reset. This is also good, because there is no chance of tcp time out on >>>> the client. Clients can retry after a bit and they are aware that the >>>> connection is closed instead of waiting on timeout. However, CPU still >>>> seems pegged high. What is the reason for high CPU on the server here - >>>> Is it because SSL stack is still hit with this setting? >>>> >>>> >>> SSL/TLS handling isn't that easy. >>> >>> Please can you share some more information's, because in the latest >>> versions of haproxy are a lot optimisation's introduced also for TLS. >>> >>> haproxy -vv >>> >>> Anonymized haproxy conf. >>> >>> -- >>> >>>> Regards, >>>> Mihir >>>> >>>> >>> Best regards >>> Aleks >>> >> >> -- >> Regards, >> Mihir >> > -- Regards, Mihir
