On Fri, Oct 11, 2013 at 02:43:35AM +0000, steve wrote: > I have been working on trouble shooting Haproxy 1.5 dev 19 with SSL for the > last day or so on Cent OS 6.4 64bit. > > Lastest OpenSSL compiled 1.0.1e, recompiled haproxy with this make -s > TARGET=linux2628 USE_EPOLL=1 USE_OPENSSL=1 ARCH=x86_64 clean all > > SSL cert wild card, plus godaddy intermediate and our key. > > Our current set of issues we are seeing: > *Massive amounts of connection refused when running the test with ssl > *Very High usage of CPU on this 8 core 32 gig box with 100 gig ssd and 1gb > nic > *Maybe 1/4 the amount of traffic we can push though, compaired to a non ssl > test > > We are using Jmeter to load test and blazemeter to do up to 40k jmeter > threads for a full hour.
Are you sure your haproxy settings support these 40k concurrent connections ? > Here is a list of the errors that are spit back after the test is done > Response codes > > response codecountresponse message > 400 29 Bad request This means SSL could pass through but that it's the tester which is sending bad requests. Quite concerning in fact because from this point it's permitted to doubt about everything else... > Non HTTP response code: javax.net.ssl.SSLPeerUnverifiedException > 86069 Non HTTP response message: peer not authenticated Possibly aborted handshakes. > Non HTTP response code: org.apache.http.conn.HttpHostConnectException 27229 > Non HTTP response message: Connection to https://xxxx.com:2222 refused Huh ? did you stop and restart haproxy during the test ? Are you sure the connectivity between the client and haproxy is OK ? A connection refused can only happen when either the server is stopped or when there is one component between the client and the server which explicitly sends RST packets (eg: a firewall), or some ICMP admin prohibited packets (eg: a router). > Non HTTP response code: java.net.SocketException > 88 Non HTTP response message: Connection reset > > 4122 Precondition Failed > Non HTTP response code: org.apache.http.NoHttpResponseException270Non HTTP > response message: The target server failed to respond > > So this is what we are facing and we are not haproxy experts and think we > have taken it to the best of what we understand about haproxy config and > settings. > > special note: we do not have a web site on the backend, its user server for > an upcoming game we are working on so the stack is quite simple from haproxy > -> node.js --> db and back. > > Json data is posted to the user server and returned. OK. Anyway this is like a website and it must work! You need to check haproxy's logs to see if it *receives* the requests that are reported to fail, or if it logs failed handshakes. Since you're reporting a high CPU usage, it is also possible that the client renegociates a new key for each request, which might or might not match what you expect from your target. For example, if each of your clients does only one request and leaves, this is OK. But if you have only 40k concurrent clients which do a number of requests, they will only negociate once at the beginning of their session. Regards, Willy
