Adding the list. On Thu, May 3, 2012 at 11:09 AM, Bar Ziony <[email protected]> wrote:
> Alexander, > > Yes, we're using Linode servers. I chose the 1024 linode. Since it's very > easy to change that, choose something and test :) > > I've reached around 800 req/sec with SSL and ~5000 req/sec with HTTP. > This is actually very low for haproxy, and is because of the Virtualized > overhead. This is much more than we need anyway, so it's fine by us. > > > On Thu, May 3, 2012 at 10:44 AM, Alexander Kamardash < > [email protected]> wrote: > >> Thank you Bar.**** >> >> ** ** >> >> Are you planning to use Linode servers ? What are the HW specs of node >> that you chose? You reached few thousands req\s ? Bottleneck is in CPU, >> I/O or network ?**** >> >> ** ** >> >> ----------------------------**** >> >> Alexander Kamardash**** >> >> ** ** >> >> *From:* Bar Ziony [mailto:[email protected]] >> *Sent:* Thursday, May 03, 2012 10:16 AM >> *To:* Alexander Kamardash >> *Cc:* Vikram Adukia; [email protected] >> >> *Subject:* Re: HAProxy and SSL traffic termination**** >> >> ** ** >> >> Alexander,**** >> >> ** ** >> >> I just implemented such a setup, with nginx listening on the LB for HTTP >> requests (port 443), proxying via HTTP to haproxy on the same machine. HTTP >> requests are coming straight to haproxy and from there to our app servers. >> **** >> >> ** ** >> >> There is a 2nd LB that is a replica of the first, and a keepalived daemon >> keeping a floating IP on one of them. This way you don't have any SPOF.** >> ** >> >> ** ** >> >> As for performance, I did a small benchmark for our use case, stud was a >> bit faster than nginx (900 requests/sec vs 800 requests/sec, no keepalive >> so this is checking SSL performance). Using 64-bit has MUCH better >> performance in SSL for some reason. More than x2 requests rate.**** >> >> ** ** >> >> Please note that this setup doesn't scale on the SSL "tier". We are >> planning on vertically increasing the LB's capacity by more powerful >> hardware, if it will be needed. If you need full scaling capabilities on >> the SSL tier, you're better of using some kind of IP load balancer such as >> LVS in front, forwarding SSL stuff to a SSL farm which is scalable and >> regular HTTP traffic to haproxy (scalable as well).**** >> >> ** ** >> >> Don't take my experiments for granted, I'm new to this game. I hope this >> helps.**** >> >> ** ** >> >> P.S. Willy - Putting your help and information to use ! ;)**** >> >> ** ** >> >> Regards,**** >> >> Bar.**** >> >> ** ** >> >> On Thu, May 3, 2012 at 9:56 AM, Alexander Kamardash < >> [email protected]> wrote:**** >> >> Hi,**** >> >> **** >> >> I am pretty sure that termination traffic on Pound, Apache or Nginx will >> do a work. My question is more about performance of such solution. It will >> eb a entrance point and I don't want to create a single point of failure. >> In case of splitting it to 2 LB layers HAProxy-> SSL termination->backend >> servers - create additional complexity.**** >> >> **** >> >> ----------------------------**** >> >> Alexander Kamardash**** >> >> **** >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf Of >> *Vikram >> Adukia >> *Sent:* Thursday, May 03, 2012 1:38 AM >> *To:* Alexander Kamardash >> *Cc:* [email protected] >> *Subject:* Re: HAProxy and SSL traffic termination**** >> >> **** >> >> A fairly easy configuration is to have Pound SSL sitting in front of >> HAProxy. I don't have benchmark numbers, but the configuration is fairly >> simple:**** >> >> **** >> >> Pound:443 -> Haproxy:80 (or really any tcp port that haproxy is listening >> on)**** >> >> **** >> >> Here's most of my pound.cfg file:**** >> >> **** >> >> ListenHTTPS**** >> >> Address 0.0.0.0**** >> >> Port 443**** >> >> # Obviously, adjust this to point to wherever your ssl cert is**** >> >> Cert "/etc/ssl/yourssl.pem"**** >> >> End**** >> >> **** >> >> Service**** >> >> Backend**** >> >> # in this configuration, haproxy is sitting on the same server as >> pound**** >> >> Address 127.0.0.1**** >> >> Port 80**** >> >> End**** >> >> End**** >> >> **** >> >> On Wed, May 2, 2012 at 3:00 PM, Baptiste <[email protected]> wrote:**** >> >> On Wed, May 2, 2012 at 3:46 PM, Alexander Kamardash >> <[email protected]> wrote: >> > Hi, >> > >> > >> > >> > We want to perform LB, SSL termination and L7 on HAProxy. Could you >> please >> > advise the best approach for it? We are interested in max performance >> and >> > not complicated configuration. >> > >> > If you are already running such configuration, pls share what is the max >> > connection rate you reach. >> > >> > >> > >> > ------------- >> > >> > Alexander >> > >> >**** >> >> Hi, >> >> If you can wait a bit, HAProxy will do SSL endpoint for you. >> Waiting that, either nginx or stud looks to perform quite well. >> >> cheers**** >> >> **** >> >> ** ** >> > >
