On Fri, Feb 15, 2019 at 08:35:58PM -0200, Joao Morais wrote: > This is just theory - and 5 digits starts on 10000 =) . The problem is the > "<keyword> <params> if <acl> <acl> <more-acl>" multiplied by 3000 or so. > Moving everything to the backend or a map is a really big step forward. I > suspect my frontend will have about 10 lines instead of 4000.
The most horrible config I've see had 450000 such lines with their respective ACLs. All internet routes were generated for two interfaces to decide which backend to use! The config took some time to load and was not very fast but still it ran fast. In your case I suspect that one of the ACL keywords is expensive to evaluate. I'd be interested in getting a sample of these lines to have an idea. We might very well have a bug in one of these sample fetch functions, or it could be relying on something expensive. If you have some time to run some extra tests, it would be nice to rebuild haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls to each function and a rough approximation of the time spent there. We may find a huge number of calls to the culprit and possibly we could improve it. If it's just that the sample is expensive, there is the option of copying it into a variable and using the variable in the ACL lookups, it will be way cheaper. But of course as Aleks said, using the maps with dynamic backend rules is the right way to proceed in your case. Willy
