Hi all I'm fairly new to HAProxy so I might have done something amazingly stupid….
I have HAProxy 1.5-dev19 (and now dev21) setup to terminate SSL and forward requests to 3 nginx/php5-fpm servers that run a heavy PHP application…. I have run a number of benchmarks against HAproxy with and without SSL and see the following results: benchmark commands: ab -c 1 -n 500 "http://example.com/status.php"; ab -c 1 -n 500 "https://example.com/status.php"; where -c is the concurrency level, and -n the number of requests. /status.php is a script that loads the complete PHP stack of the app and returns a tiny html file (12 bytes) with the status HAproxy and the VMs are running on virtual machines in an OpenStack cluster, the benchmarks were performed from one of the physical hosts of that cluster: Latency between benchmark host and HAProxy VM: ping example.com PING st-fl-1.2.3.4.example.com (1.2.34) 56(84) bytes of data. 64 bytes from st-fl-1.2.3.4.example.com (1.2.34: icmp_req=1 ttl=63 time=0.919 ms 64 bytes from st-fl-1.2.3.4.example.com (1.2.34: icmp_req=2 ttl=63 time=0.858 ms I vary concurrency level and get the following mean response times per request: HTTP:-c 1 -n 500: 54.800 [ms] SSL: -c 1 -n 500: 64.467 HTTP: -c2 -n 500: 57.696 ms SSL: -c2 -n 500: 70.699 ms HTTP: -c4 -n 500: 61.966 ms SSL: -c4 -n 500: 77.379 ms HTTP: -c 8 -n 500: 64.711 ms SSL: -c 8 -n 500: 92.793 ms HTTP: -c 16 -n 1000: 63.882 ms (doubled the number of request to account for more concurrency) SSL: -c 16 -n 1000: 118.347 ms HTTP: -c 32 -n 1000: 74.488 ms SSL: -c 32 -n 1000: 172.178 ms HTTP: -c 64 -n 1000: 133.784 ms SSL: -c 64 -n 1000: 317.118 ms HTTP: -c 128 -n 2000: 261.037 ms SSL: -c 128 -n 2000: 528.435 ms Using a "hello world" php file (<?php echo "Hello World"; ?> ) I see that this setup can do around 2500 - 3000 requests / second with HTTP and around 200 requests / second with SSL Are these numbers something that is expected? should HAProxy be able to terminate more than 200 SSL requests per second? Here's the haproxy.conf file: global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user root group root daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats level admin defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch option http-server-close retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 10m timeout http-keep-alive 10s timeout check 10s maxconn 3000 errorfile 503 /etc/haproxy/503maintenance.html frontend stats bind 0.0.0.0:8443 ssl crt /etc/haproxy/example.com.crt.pem stats enable stats auth xx:xx frontend internstats bind 0.0.0.0:8080 stats enable stats auth xx:xx frontend unsecured bind 0.0.0.0:80 default_backend owncloud mode http option httpclose option forwardfor # http-request redirect scheme https if !{ ssl_fc } frontend ssl # @zabbix_frontend(box-lb1) bind 0.0.0.0:443 ssl crt /etc/haproxy/example.com.crt.pem default_backend owncloud mode http option httpclose option forwardfor backend owncloud mode http balance roundrobin cookie SRVNAME insert server box-web1 10.0.20.18:80 cookie box-web1 check fastinter 500ms # @zabbix_server(box-web1) server box-web2 10.0.20.37:80 cookie box-web2 check fastinter 500ms # @zabbix_server(box-web2) server box-web3 10.0.20.48:80 cookie box-web3 check fastinter 500ms # @zabbix_server(box-web3) thanks for your help Jens-Christian -- SWITCH Jens-Christian Fischer, Peta Solutions Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 15 71 [email protected] http://www.switch.ch http://www.switch.ch/socialmedia
signature.asc
Description: Message signed with OpenPGP using GPGMail
