subject:"very low requests per second rate with option forceclose \(now with details\)"

Re: very low requests per second rate with option forceclose (now with details)

2017-08-16 Thread Stefan Sticht

Hi,

please do not bother ay further about this. I had an iptables rate limit of 25 
SYN requests per second configured.
Sorry for wasting your time.

Stefan


> On 16 Aug 2017, at 20:35, Stefan Sticht  wrote:
> 
> Hi,
> 
> sorry I missed to tell details: haproxy and webservers are running Ubuntu 
> 16.04.3 LTS
> I am testing HA-Proxy version 1.6.3 2015/12/25 and HA-Proxy version 
> 1.7.8-1ppa1~xenial 2017/07/09
> 
> I also can test the webserver directly bypassing the haproxy completely 
> (apache2.4 on webserver has "KeepAlive Off” configured)
> $ ab -v 1 -c 10 -n 1000 http://10.27.100.45/test/index.html 
>  | grep -e Requests -e Complete -e Failed
> Complete requests:  1000
> Failed requests:0
> Requests per second:7948.87 [#/sec] (mean)
> 
> Thanks!
> Stefan
> 
>> On 16 Aug 2017, at 17:53, Stefan Sticht > > wrote:
>> 
>> Hi,
>> 
>> I need help with my haproxy config. I have been asked to disable keepalive 
>> in haproxy.
>> As soon as I use "option forceclose” the requests per second rate mesured 
>> with apachebench
>> goes down form like 1000 requests per second to 25 requests per second.
>> 
>> frontend w-test-kon
>> bind *:8000
>> bind *:8001 ssl crt /etc/ssl/private/wildcard.w.pem
>> maxconn 4096000
>> default_backend web1
>> 
>> frontend w-test-koff
>> option forceclose
>> no option http-keep-alive
>> bind *:8002
>> bind *:8003 ssl crt /etc/ssl/private/wildcard.w.pem
>> maxconn 4096000
>> default_backend web1
>> 
>> backend web1
>> mode http
>> balance roundrobin
>> http-reuse always
>> server web1-ip1 192.168.2.11:80 check source 192.168.2.211
>> option httpchk
>> maxconn 4096000
>> http-response set-header Strict-Transport-Security 
>> "max-age=1600; includeSubDomains; preload;"
>> 
>> Without forceclose:
>> 
>> $ ab -v 1 -k -c 10 -n 1000 https://w:8001/test/index.html 
>>  | grep -e Requests -e Complete -e Failed
>> Complete requests:  1000
>> Failed requests:0
>> Requests per second:1112.29 [#/sec] (mean)
>> 
>> With foreclose:
>> 
>> $ ab -v 1 -k -c 10 -n 1000 https://w:8003/test/index.html 
>>  | grep -e Requests -e Complete -e Failed
>> Complete requests:  1000
>> Failed requests:0
>> Requests per second:25.86 [#/sec] (mean)
>> 
>> Whatever I configure as soon as I disable keepalive I am down to 24-45 
>> requests per second.
>> 
>> Anyone an idea what I am doing wrong?
>> 
>> Thanks in advance!
>> 
>> Stefan
>> 
>> 
>> 
>> 
>> 
> 



smime.p7s
Description: S/MIME cryptographic signature

Re: very low requests per second rate with option forceclose (now with details)

2017-08-16 Thread Holger Just

Hi Stefan

Stefan Sticht wrote:
> I also can test the webserver directly bypassing the haproxy completely
> (apache2.4 on webserver has "KeepAlive Off” configured)
> $ ab -v 1 -c 10 -n 1000 http://10.27.100.45/test/index.html | grep -e
> Requests -e Complete -e Failed
> Complete requests:  1000
> Failed requests:0
> Requests per second:7948.87 [#/sec] (mean)

Here, you are running ab over plain HTTP to your backend server.

>> Without forceclose:
>>
>> $ ab -v 1 -k -c 10 -n 1000 https://w:8001/test/index.html | grep -e
>> Requests -e Complete -e Failed
>> Complete requests:  1000
>> Failed requests:0
>> Requests per second:1112.29 [#/sec] (mean)
>>
>> With foreclose:
>>
>> $ ab -v 1 -k -c 10 -n 1000 https://w:8003/test/index.html | grep -e
>> Requests -e Complete -e Failed
>> Complete requests:  1000
>> Failed requests:0
>> Requests per second:25.86 [#/sec] (mean)

However, with these tests, you are running over TLS. This makes a huge
difference in performance.

Since the most expensive part of a TLS tunnel is to establish the
connection (which involves slow asymmetric encryption), you are
basically constrained here.

Now, in the real world, most clients will try to re-use existing TLS
sessions using wither server-stored TLS sessions or client-stored TLS
tickets, both of which allows them to skip the most expensive part of a
new connection.

Apache bench does not re-use sessions. As such, what you are effectively
benchmarking here is the ability of your server to handle new TLS
handshakes. When disabling keep-alive, ab has to create a completely new
TLS connection for each request while it reuses the existing connections
with keep-alive enabled. This along can explain the performance
differences you see there

Now, even with a server without AES-NI support in the CPU, 25 handshakes
per second and core is still pretty low. With a modern CPU, I would
expect about 350 handshakes per second and core.

In any case, you could increase performance by running with a larger
nbproc for your SSL handling (e.g. as many as you have cores or even
hyperthreads) and by using a CPU which has AES-NI support and is this
able to perform many expensive operations for the asymmetric crypto in
hardware. Getting rid of virtualization layers also helps tremendously.

The biggest performance increase when using HTTPS in the real world
however would probably to actually enable keep-alive at least between
the client and haproxy.

Regards,
Holger

very low requests per second rate with option forceclose (now with details)

2017-08-16 Thread Stefan Sticht

Hi,

sorry I missed to tell details: haproxy and webservers are running Ubuntu 
16.04.3 LTS
I am testing HA-Proxy version 1.6.3 2015/12/25 and HA-Proxy version 
1.7.8-1ppa1~xenial 2017/07/09

I also can test the webserver directly bypassing the haproxy completely 
(apache2.4 on webserver has "KeepAlive Off” configured)
$ ab -v 1 -c 10 -n 1000 http://10.27.100.45/test/index.html | grep -e Requests 
-e Complete -e Failed
Complete requests:  1000
Failed requests:0
Requests per second:7948.87 [#/sec] (mean)

Thanks!
Stefan

> On 16 Aug 2017, at 17:53, Stefan Sticht  wrote:
> 
> Hi,
> 
> I need help with my haproxy config. I have been asked to disable keepalive in 
> haproxy.
> As soon as I use "option forceclose” the requests per second rate mesured 
> with apachebench
> goes down form like 1000 requests per second to 25 requests per second.
> 
> frontend w-test-kon
> bind *:8000
> bind *:8001 ssl crt /etc/ssl/private/wildcard.w.pem
> maxconn 4096000
> default_backend web1
> 
> frontend w-test-koff
> option forceclose
> no option http-keep-alive
> bind *:8002
> bind *:8003 ssl crt /etc/ssl/private/wildcard.w.pem
> maxconn 4096000
> default_backend web1
> 
> backend web1
> mode http
> balance roundrobin
> http-reuse always
> server web1-ip1 192.168.2.11:80 check source 192.168.2.211
> option httpchk
> maxconn 4096000
> http-response set-header Strict-Transport-Security "max-age=1600; 
> includeSubDomains; preload;"
> 
> Without forceclose:
> 
> $ ab -v 1 -k -c 10 -n 1000 https://w:8001/test/index.html 
>  | grep -e Requests -e Complete -e Failed
> Complete requests:  1000
> Failed requests:0
> Requests per second:1112.29 [#/sec] (mean)
> 
> With foreclose:
> 
> $ ab -v 1 -k -c 10 -n 1000 https://w:8003/test/index.html 
>  | grep -e Requests -e Complete -e Failed
> Complete requests:  1000
> Failed requests:0
> Requests per second:25.86 [#/sec] (mean)
> 
> Whatever I configure as soon as I disable keepalive I am down to 24-45 
> requests per second.
> 
> Anyone an idea what I am doing wrong?
> 
> Thanks in advance!
> 
> Stefan
> 
> 
> 
> 
> 



smime.p7s
Description: S/MIME cryptographic signature

Re: very low requests per second rate with option forceclose (now with details)

Re: very low requests per second rate with option forceclose (now with details)

very low requests per second rate with option forceclose (now with details)

3 matches

Site Navigation

Mail list logo

Footer information