Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16
On Fri, Apr 08, 2016 at 03:15:22PM +0200, Janusz Dziemidowicz wrote: > 2016-04-07 17:47 GMT+02:00 Willy Tarreau: > > If someone who can reliably reproduce the issue could check whether 1.6 has > > the same issue, it would help me cut the problem in half. That obviously > > excludes all those running sensitive production of course. > > I can try to test 1.6 next week and see what happens. Wow that could be great if you could, thanks Janusz! Willy
Re: Conditionally include unique-id-header
It is avalaible in the development version (1.7dev). Thierry On Fri, 8 Apr 2016 16:23:44 + Scott Rankinwrote: > Hi Thierry, > > Thanks for the suggestion - but the %[unique-id] variable is empty when I use > the config below. I’m using HAProxy 1.6.4. Did you have to do anything else > to get that to show up? > > > > Thanks! > Scott > > On 4/8/16, 12:04 PM, "Thierry FOURNIER" wrote: > > >Hi, > > > >I ve just submit a sample which returns the content of the unique-id. > >So, you can write: > > > > unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp > > acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0 > > http-request add-header X-Unique-ID %[unique-id] if unique_id_missing > > > >Thierry > > > > > >On Fri, 8 Apr 2016 15:31:22 + > >Scott Rankin wrote: > > > >> Hi all, > >> > >> I’m trying to replicate functionality from a previous load balancer in > >> HAProxy, and the final sticking point seems to be the unique ID header. I > >> found the unique-id-header and unique-id-format commands, which are great, > >> but what I want to do is only add a unique-id-header if there is not > >> already one present. If there is one present, I do not want to add > >> another one (which is what seems to be happening by default). > >> > >> I’ve tried adding a conditional: > >> > >> acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0 > >> unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp > >> unique-id-header X-Unique-ID if unique_id_missing > >> > >> But that does not seem to be working. Should it? If not, is there > >> another way to go about this? > >> > >> Thanks! > >> Scott > >> > >> This email message contains information that Motus, LLC considers > >> confidential and/or proprietary, or may later designate as confidential > >> and proprietary. It is intended only for use of the individual or entity > >> named above and should not be forwarded to any other persons or entities > >> without the express consent of Motus, LLC, nor should it be used for any > >> purpose other than in the course of any potential or actual business > >> relationship with Motus, LLC. If the reader of this message is not the > >> intended recipient, or the employee or agent responsible to deliver it to > >> the intended recipient, you are hereby notified that any dissemination, > >> distribution, or copying of this communication is strictly prohibited. If > >> you have received this communication in error, please notify sender > >> immediately and destroy the original message. > >> > >> Internal Revenue Service regulations require that certain types of written > >> advice include a disclaimer. To the extent the preceding message contains > >> advice relating to a Federal tax issue, unless expressly stated otherwise > >> the advice is not intended or written to be used, and it cannot be used by > >> the recipient or any other taxpayer, for the purpose of avoiding Federal > >> tax penalties, and was not written to support the promotion or marketing > >> of any transaction or matter discussed herein. > > > > > >-- > > > This email message contains information that Motus, LLC considers > confidential and/or proprietary, or may later designate as confidential and > proprietary. It is intended only for use of the individual or entity named > above and should not be forwarded to any other persons or entities without > the express consent of Motus, LLC, nor should it be used for any purpose > other than in the course of any potential or actual business relationship > with Motus, LLC. If the reader of this message is not the intended recipient, > or the employee or agent responsible to deliver it to the intended recipient, > you are hereby notified that any dissemination, distribution, or copying of > this communication is strictly prohibited. If you have received this > communication in error, please notify sender immediately and destroy the > original message. > > Internal Revenue Service regulations require that certain types of written > advice include a disclaimer. To the extent the preceding message contains > advice relating to a Federal tax issue, unless expressly stated otherwise the > advice is not intended or written to be used, and it cannot be used by the > recipient or any other taxpayer, for the purpose of avoiding Federal tax > penalties, and was not written to support the promotion or marketing of any > transaction or matter discussed herein. --
Re: [PATCH] CLEANUP: .gitignore cleanup
❦ 8 avril 2016 22:22 +0200, Vincent Bernat: > .gitignore is an odd beast. All the stuff at the beginning is useless > since in the bottom part starts with /.* and /*. Therefore, the top part > is useless. Moreover, the bottom part makes unignore *.o and > friends. Add it back at the bottom. I know we already talked about that in the past, but I remember that the bottom part wasn't here. -- Perilous to all of us are the devices of an art deeper than we ourselves possess. -- Gandalf the Grey [J.R.R. Tolkien, "Lord of the Rings"]
[PATCH] CLEANUP: .gitignore cleanup
From: Vincent Bernat.gitignore is an odd beast. All the stuff at the beginning is useless since in the bottom part starts with /.* and /*. Therefore, the top part is useless. Moreover, the bottom part makes unignore *.o and friends. Add it back at the bottom. --- .gitignore | 49 + 1 file changed, 1 insertion(+), 48 deletions(-) diff --git a/.gitignore b/.gitignore index 0292bcc1b4ce..54c9cdeb3a3b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,51 +1,3 @@ -*.o -*/.svn -*~ -.flxdisk* -.flxpkg -.flxstatus* -.svn -haproxy -src/*.o -*.rej -*.orig -*.log* -*.trace* -haproxy-* -!doc/haproxy-*.txt -!src/*.c -make-* -dlmalloc.c -00*.patch -*.service -*.bak -.nfs* -contrib/base64/base64rev -contrib/halog/halog -contrib/ip6range/ip6range -contrib/iprange/iprange -tests/test_hashes -/*.cfg -/*.conf -/*.diff -/*.patch -/*.c -/*.o -/*.so -/*.txt -/*.TXT -/*.txt.* -/*.prof -/*.gprof -/*.prof.* -/*.gprof.* -/*.tar -/*.tar.gz -/*.tgz -/*.mbox -/*.sh -/bug* -/TAGS # Below we forbid everything and only allow what we know, that's much easier # than blocking about 500 different test files and bug report outputs. /.* @@ -69,3 +21,4 @@ tests/test_hashes !/src !/tests !/debian +*.o -- 2.8.0.rc3
[PATCH 2/2] BUG/MEDIUM: dns: fix alignment issue when building DNS queries
From: Vincent BernatOn some architectures, unaligned access is not authorized. On most architectures, it is just slower. Therefore, we have to use memcpy() when an unaligned access is needed, specifically when writing the qinfo. Also remove the unaligned access when reading answer count when reading the answer. It's likely that this instruction was optimized away by the compiler since it is unneeded. Add a comment to explain why we use 7 as an offset instead of 6. Not an unaligned offset since "resp" is "unsigned char", then promoted to int. --- src/dns.c | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/dns.c b/src/dns.c index 3906742bce36..3b3dfc59e065 100644 --- a/src/dns.c +++ b/src/dns.c @@ -619,8 +619,7 @@ int dns_get_ip_from_response(unsigned char *resp, unsigned char *resp_end, cname = *newip = newip4 = newip6 = NULL; cnamelen = currentip_found = 0; *newip_sin_family = AF_UNSPEC; - ancount = (((struct dns_header *)resp)->ancount); - ancount = *(resp + 7); + ancount = *(resp + 7); /* Assume no more than 256 answers */ /* bypass DNS response header */ reader = resp + sizeof(struct dns_header); @@ -975,7 +974,7 @@ int dns_init_resolvers(void) int dns_build_query(int query_id, int query_type, char *hostname_dn, int hostname_dn_len, char *buf, int bufsize) { struct dns_header *dns; - struct dns_question *qinfo; + struct dns_question qinfo; char *ptr, *bufend; memset(buf, '\0', bufsize); @@ -1021,9 +1020,9 @@ int dns_build_query(int query_id, int query_type, char *hostname_dn, int hostnam return -1; /* set up query info (type and class) */ - qinfo = (struct dns_question *)ptr; - qinfo->qtype = htons(query_type); - qinfo->qclass = htons(DNS_RCLASS_IN); + qinfo.qtype = htons(query_type); + qinfo.qclass = htons(DNS_RCLASS_IN); + memcpy(ptr, , sizeof(qinfo)); ptr += sizeof(struct dns_question); -- 2.8.0.rc3
[PATCH 1/2] BUG/MINOR: dns: fix DNS header definition
From: Vincent BernatConforming to RFC 2535, section 6.1. This is not an important bug as those fields don't seem to be set to something else than 0 and to be checked on answers. --- include/types/dns.h | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/types/dns.h b/include/types/dns.h index 757eaaf28d9a..98adc983bf44 100644 --- a/include/types/dns.h +++ b/include/types/dns.h @@ -63,16 +63,16 @@ /* DNS request or response header structure */ struct dns_header { unsigned short id:16; /* identifier */ - unsigned char rd :1; /* recursion desired 0: no, 1: yes */ - unsigned char tc :1; /* truncation 0:no, 1: yes */ - unsigned char aa :1; /* authoritative answer 0: no, 1: yes */ - unsigned char opcode :4; /* operation code */ unsigned char qr :1; /* query/response 0: query, 1: response */ - unsigned char rcode :4; /* response code */ - unsigned char z :1; /* no used */ + unsigned char opcode :4; /* operation code */ + unsigned char aa :1; /* authoritative answer 0: no, 1: yes */ + unsigned char tc :1; /* truncation 0:no, 1: yes */ + unsigned char rd :1; /* recursion desired 0: no, 1: yes */ + unsigned char ra :1; /* recursion available 0: no, 1: yes */ + unsigned char z :1; /* not used */ unsigned char ad :1; /* authentic data */ unsigned char cd :1; /* checking disabled */ - unsigned char ra :1; /* recursion available 0: no, 1: yes */ + unsigned char rcode :4; /* response code */ unsigned short qdcount :16;/* question count */ unsigned short ancount :16;/* answer count */ unsigned short nscount :16;/* authority count */ -- 2.8.0.rc3
Re: Conditionally include unique-id-header
Hi Thierry, Thanks for the suggestion - but the %[unique-id] variable is empty when I use the config below. I’m using HAProxy 1.6.4. Did you have to do anything else to get that to show up? Thanks! Scott On 4/8/16, 12:04 PM, "Thierry FOURNIER"wrote: >Hi, > >I ve just submit a sample which returns the content of the unique-id. >So, you can write: > > unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp > acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0 > http-request add-header X-Unique-ID %[unique-id] if unique_id_missing > >Thierry > > >On Fri, 8 Apr 2016 15:31:22 + >Scott Rankin wrote: > >> Hi all, >> >> I’m trying to replicate functionality from a previous load balancer in >> HAProxy, and the final sticking point seems to be the unique ID header. I >> found the unique-id-header and unique-id-format commands, which are great, >> but what I want to do is only add a unique-id-header if there is not already >> one present. If there is one present, I do not want to add another one >> (which is what seems to be happening by default). >> >> I’ve tried adding a conditional: >> >> acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0 >> unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp >> unique-id-header X-Unique-ID if unique_id_missing >> >> But that does not seem to be working. Should it? If not, is there another >> way to go about this? >> >> Thanks! >> Scott >> >> This email message contains information that Motus, LLC considers >> confidential and/or proprietary, or may later designate as confidential and >> proprietary. It is intended only for use of the individual or entity named >> above and should not be forwarded to any other persons or entities without >> the express consent of Motus, LLC, nor should it be used for any purpose >> other than in the course of any potential or actual business relationship >> with Motus, LLC. If the reader of this message is not the intended >> recipient, or the employee or agent responsible to deliver it to the >> intended recipient, you are hereby notified that any dissemination, >> distribution, or copying of this communication is strictly prohibited. If >> you have received this communication in error, please notify sender >> immediately and destroy the original message. >> >> Internal Revenue Service regulations require that certain types of written >> advice include a disclaimer. To the extent the preceding message contains >> advice relating to a Federal tax issue, unless expressly stated otherwise >> the advice is not intended or written to be used, and it cannot be used by >> the recipient or any other taxpayer, for the purpose of avoiding Federal tax >> penalties, and was not written to support the promotion or marketing of any >> transaction or matter discussed herein. > > >-- > This email message contains information that Motus, LLC considers confidential and/or proprietary, or may later designate as confidential and proprietary. It is intended only for use of the individual or entity named above and should not be forwarded to any other persons or entities without the express consent of Motus, LLC, nor should it be used for any purpose other than in the course of any potential or actual business relationship with Motus, LLC. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify sender immediately and destroy the original message. Internal Revenue Service regulations require that certain types of written advice include a disclaimer. To the extent the preceding message contains advice relating to a Federal tax issue, unless expressly stated otherwise the advice is not intended or written to be used, and it cannot be used by the recipient or any other taxpayer, for the purpose of avoiding Federal tax penalties, and was not written to support the promotion or marketing of any transaction or matter discussed herein.
Re: Conditionally include unique-id-header
Hi, I ve just submit a sample which returns the content of the unique-id. So, you can write: unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0 http-request add-header X-Unique-ID %[unique-id] if unique_id_missing Thierry On Fri, 8 Apr 2016 15:31:22 + Scott Rankinwrote: > Hi all, > > I’m trying to replicate functionality from a previous load balancer in > HAProxy, and the final sticking point seems to be the unique ID header. I > found the unique-id-header and unique-id-format commands, which are great, > but what I want to do is only add a unique-id-header if there is not already > one present. If there is one present, I do not want to add another one > (which is what seems to be happening by default). > > I’ve tried adding a conditional: > > acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0 > unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp > unique-id-header X-Unique-ID if unique_id_missing > > But that does not seem to be working. Should it? If not, is there another > way to go about this? > > Thanks! > Scott > > This email message contains information that Motus, LLC considers > confidential and/or proprietary, or may later designate as confidential and > proprietary. It is intended only for use of the individual or entity named > above and should not be forwarded to any other persons or entities without > the express consent of Motus, LLC, nor should it be used for any purpose > other than in the course of any potential or actual business relationship > with Motus, LLC. If the reader of this message is not the intended recipient, > or the employee or agent responsible to deliver it to the intended recipient, > you are hereby notified that any dissemination, distribution, or copying of > this communication is strictly prohibited. If you have received this > communication in error, please notify sender immediately and destroy the > original message. > > Internal Revenue Service regulations require that certain types of written > advice include a disclaimer. To the extent the preceding message contains > advice relating to a Federal tax issue, unless expressly stated otherwise the > advice is not intended or written to be used, and it cannot be used by the > recipient or any other taxpayer, for the purpose of avoiding Federal tax > penalties, and was not written to support the promotion or marketing of any > transaction or matter discussed herein. --
Conditionally include unique-id-header
Hi all, I’m trying to replicate functionality from a previous load balancer in HAProxy, and the final sticking point seems to be the unique ID header. I found the unique-id-header and unique-id-format commands, which are great, but what I want to do is only add a unique-id-header if there is not already one present. If there is one present, I do not want to add another one (which is what seems to be happening by default). I’ve tried adding a conditional: acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0 unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp unique-id-header X-Unique-ID if unique_id_missing But that does not seem to be working. Should it? If not, is there another way to go about this? Thanks! Scott This email message contains information that Motus, LLC considers confidential and/or proprietary, or may later designate as confidential and proprietary. It is intended only for use of the individual or entity named above and should not be forwarded to any other persons or entities without the express consent of Motus, LLC, nor should it be used for any purpose other than in the course of any potential or actual business relationship with Motus, LLC. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify sender immediately and destroy the original message. Internal Revenue Service regulations require that certain types of written advice include a disclaimer. To the extent the preceding message contains advice relating to a Federal tax issue, unless expressly stated otherwise the advice is not intended or written to be used, and it cannot be used by the recipient or any other taxpayer, for the purpose of avoiding Federal tax penalties, and was not written to support the promotion or marketing of any transaction or matter discussed herein.
Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16
2016-04-07 17:47 GMT+02:00 Willy Tarreau: > If someone who can reliably reproduce the issue could check whether 1.6 has > the same issue, it would help me cut the problem in half. That obviously > excludes all those running sensitive production of course. I can try to test 1.6 next week and see what happens. -- Janusz Dziemidowicz
LUA: Skip HTTP headers and forward TCP traffic
Hi everybody, I try to connect to an SSH process via proxytunnel. The incoming request carries normal HTTP headers that I have to skip those in order to forward further encrypted SSH traffic to an SSH process. I thought I could tackle this task using Lua and register_action, but since it’s my first time working with Lua and haproxy and I got stuck. I hope someone could help me on this topic. ### Output: Apr 08 10:15:48 HOST docker[4059]: [info] 098/101548 (12) : connect-ssh Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : CONNECT 127.0.0.1:22 HTTP/1.1.. Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : Host: FQDN.. Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : Proxy-Connection: Keep-Alive.. Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : X-Forwarded-Proto: https.. Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : X-Forwarded-For: IP.. Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : .. Apr 08 10:15:53 HOST docker[4059]: [ALERT] 098/101553 (12) : Lua function 'connect-ssh': yield not allowed. ### haproxy.cfg: global lua-load /etc/haproxy/proxytunnel.lua … frontend multiplex-ssh-http bind :80 mode tcp option tcplog tcp-request inspect-delay 5s tcp-request content lua.connect-ssh if METH_CONNECT # Detect SSH connection attempts acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30 use_backend tcp-ssh if client_attempts_ssh default_backend http-nginx backend tcp-ssh mode tcp option tcplog server ssh dockerhost:22 timeout server 2h … ### proxytunnel.lua: function string.starts(haystack, needle) return haystack:sub(1, needle:len()) == needle end core.register_action('connect-ssh', { "tcp-req" }, function(txn) local line = txn.req:getline(); txn:Info("connect-ssh"); if line == nil then txn:Debug("Got nil, skipping..."); return elseif not line:starts("CONNECT 127.0.0.1:22 HTTP/1.1") then txn:Debug("No match, got " .. line .. ", skipping..."); return end repeat -- skip headers txn:Debug(line); line = txn.req:getline(); until line == nil or line == ""; return end); King regards Florian Aßmann
[PATCH 1/4]: BUG/MINOR : server: risk of over reading the pref_net array.
Hi, here a first patch among a small patchset. Kind regards. From 65b5807cfbdebf28f01695fa02a34cd0353d4212 Mon Sep 17 00:00:00 2001 From: David CarlierDate: Fri, 8 Apr 2016 10:26:44 +0100 Subject: [PATCH 1/4] BUG/MINOR: server: risk of over reading the pref_net array. dns_option struct pref_net field is an array of 5. The issue here shows that pref_net_nb can go up to 5 as well which might lead to read outside of this array. --- src/server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/server.c b/src/server.c index 72799bb..5a2c58a 100644 --- a/src/server.c +++ b/src/server.c @@ -1116,7 +1116,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr e = p; while (*p != '\0') { /* If no room avalaible, return error. */ - if (opt->pref_net_nb > SRV_MAX_PREF_NET) { + if (opt->pref_net_nb >= SRV_MAX_PREF_NET) { Alert("parsing [%s:%d]: '%s' exceed %d networks.\n", file, linenum, args[cur_arg], SRV_MAX_PREF_NET); err_code |= ERR_ALERT | ERR_FATAL; -- 2.5.0
[PATCH 4/4]: CLEANUP: proto_uxst: initialize socket before setting.
Hi, This one might not find this way as it might then having a performance hit, I was outweighting the outcome for this patch myself ... We ll see. Regards. From f8713e332f99aee682ef12c7bbbc39766be3d3ff Mon Sep 17 00:00:00 2001 From: David CarlierDate: Fri, 8 Apr 2016 10:44:08 +0100 Subject: [PATCH 4/4] CLEANUP: proto_uxst: initialize socket before setting. Initializes the socket before usage. However, there might be then a slight impact performance hit. --- src/proto_uxst.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/proto_uxst.c b/src/proto_uxst.c index b2a7fe2..3fa9504 100644 --- a/src/proto_uxst.c +++ b/src/proto_uxst.c @@ -131,6 +131,7 @@ static void destroy_uxst_socket(const char *path) if (sock < 0) return; + memset(, 0, sizeof(addr)); addr.sun_family = AF_UNIX; strncpy(addr.sun_path, path, sizeof(addr.sun_path)); addr.sun_path[sizeof(addr.sun_path) - 1] = 0; @@ -191,6 +192,7 @@ static int uxst_bind_listener(struct listener *listener, char *errmsg, int errle if (ext) goto fd_ready; + memset(, 0, sizeof(addr)); if (path[0]) { ret = snprintf(tempname, MAXPATHLEN, "%s.%d.tmp", path, pid); if (ret < 0 || ret >= MAXPATHLEN) { -- 2.5.0
CIDR Notation in ACL -- silent failure
Hi! I noticed that while this ACL matches my source IP of 192.168.42.123: acl src_internal_net src 192.168.42.0/24 this one does _not_: acl src_internal_net src 192.168.42/24 While not strictly part of RFC 4632 (yet), leaving out trailing .0 octets is a very common notation and is probably going to be included in a future RFC update (as per Errata 1577): https://www.rfc-editor.org/errata_search.php?rfc=4632=1577 If there are concerns against this notation, the config parser should at least issue a WARNING or even ERROR about this, because I found it it quite confusing. Especially if ACLs are used for actual access control, this can have nasty consequences. What do you think? Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH
Re: ssl offloading
wow! Thanks, again Gerd Weitergeleitete Nachricht Von: Pavlos ParissisAn: Andrew Hayworth , Gerd Mueller Kopie: haproxy@formilux.org Betreff: Re: ssl offloading Datum: Sun, 3 Apr 2016 22:37:41 +0200 On 01/04/2016 04:20 μμ, Andrew Hayworth wrote: > > Hi there - > > Have you considered HAProxy in multiprocess mode? You could have a > frontend spread across multiple threads that terminates SSL. We're > experimenting with such a design here. > It has been mentioned before that you can increase capacity[1] by using: - latest Intel CPUs - Openssl 1.0.2g version or higher - enable multiprocess mode - PIN HAProxy to CPU processes - stop irqbalancer and PIN network interrupt queues to CPUs, using Intel 10GbE cards makes this very easy - tune HAProxy and OS - Enable RFC5077 TLS Session Resumption, tricky in distributed setup - Deploy ECC certificates and enable ECC ciphers. I managed to achieve 450K HTTPS/sec with object size 1K using 22 cores out of 24. Disabling HT and use 10cores gave me 370K HTTPS/sec. HT is disabled for now in our systems. I wouldn't offload ssl to hardware as they are like blackbox. You don't know what they do and how vulnerable they are. Cheers, Pavlos [1] number of https/sec while CPU utilization(user+sys level) <=70% why 70%? because you want to have some room to handle attacks, failures on other nodes/DCs, mistakes by devs( a typo somewhere can increase number of requests and cause a DDOS...) signature.asc Description: This is a digitally signed message part