On Wed, 2012-12-12 at 22:49 +0100, Willy Tarreau wrote:
> Hi Martijn,
>
> When you say "connecting to the port", you mean in SSL or in TCP ?
> It's important because it's not the same. It's possible that you
> have reached a max number of concurrent connections for example
> because some handshakes are taking a lot of CPU time (just guessing).
I am talking about a raw connection, using telnet. The connection does
not get accepted (or it takes a long time), so the problem occurs before
the handshake can even begin.
> This is not much. Do you know if the clients reuse the same SSL session
> IDs or if they constantly renegociate ?
That's a mixed bag. I would guess that on average three requests are
done in the same session, but this is wild speculation.
> It would be interesting to run strace -Tttp $(pidof haproxy) when the
> problem happens. Also, how do you fix the issue ? Do you just restart
> the process ?
I will set up another test for later today, and will get back to you
with the results.
Fixing the issues is indeed as simple as restarting the haproxy process,
after this everything works fine for another few minutes (depending on
the load, this can be one minute, or up to 30 minutes).
> And what is your OpenSSL version ? I'm asking because I've seen that
> 0.9.8 did at least one live access to /dev/urandom after the process
> was chrooted. So it may well be possible that past some connections
> it needs /dev/urandom again ! Surely strace will tell us about this.
The OpenSSL version currently in use is 1.0.1.
> Could you also enable logging of SSL version and cipher by appending
> %sslv/%sslc at the end of the log-format line (you have to replace
> option httplog with the format that is described in the doc as the
> equivalent of httplog, I prefer to let you copy-paste it from the
> doc than from the mail).
I have added this to the haproxy config and restarted the haproxy
process, however, I do not see any change in the syslog results. It is
possible I made a mistake however. Included is an example backend
section from my config file:
backend picservers
mode http
option httplog # log all http reqests
log-format %Ci:%Cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\
%B\ %cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %
sslv/%sslc
option forwardfor except 145.255.128.0/21
server ...
> Thanks for your report !
>
> Willy
>
>
