haproxy SSL termination... Awesome!!!!!! I have been in the process of replacing our hardware appliances with a software based solution running in a virtualized environment.
We currently have a project running in semi-beta mode to a closed set of users. Our current load is around 2500 new ssl TPS at 2048 bit ssl certs. We currently have a ssl cache of around 1,000,000. I am not sure how many ssl session reuses a second because our appliances do not capture that info ( I am guessing around 4000 because of data in other logs files ). When we open up our project to the public we expect much more traffic. Our software solution is using stunnel + haproxy (with accept-proxy) running on 10 Virtual machines per host, with 10 CPU's per virtual machine. We actually get better throughput using the VM's rather than the physical server due to software interrupts etc. I have been able to benchmark this solution using full TCP and HTTP requests at 9,500 new ssl TPS at 2048 bit certs with around 70,000 ssl reuses per second. We also get over 6Gbps of throughput. (we will have at least two physical servers for redundancy etc so double the numbers above). Our software solution still has a pair L4 load balancers in front of the ssl terminators for redundancy, and we are using stunnel's shared ssl session cache so that we can avoid sticky TCP sessions from the L4 load balancer. I tested the new haproxy SSL implementation I was able to hit closer to 12,000 new TPS (MUCH better performance) but it does not appear that haproxy currently shares the session cache across servers. I do know that it shares it across multi-process on the same box. Is this something that you are planning on implementing? Or is there some other way that I can achieve this? Thanks for your awesome work! David T.
