Hi I have haproxy 1.5-dev22 working with SSL termination and it seems to be using quite a bit of CPU under a not very high load of SSL connections.
ios_sproxy_fe session rate max 50 sessions max 805 this lb also balances unencrypted traffic ios_proxy_fe session rate max 720 sessions max 12.8K Before I enabled SSL termination haproxy used very little CPU to balance the unencrypted traffic and pass the SSL traffic to the backends via tcp. When I add nbproc 2 it splits the load evenly between 2 cores as expected but that creates difficulties in management via the management socket and stats interface. I found this thread http://comments.gmane.org/gmane.comp.web.haproxy/9328 which discusses offloading the SSL to 2 processes and passing the unencrypted traffic to other port listeners via send-proxy. Is this still the recommended way to balance multiple cores with SSL and nbproc? My config global stats socket /var/run/haproxy.stat level admin pidfile /var/run/haproxy.pid log /dev/log local0 notice maxconn 71000 daemon nbproc 2 user haproxy group haproxy defaults log global log /dev/log local0 notice mode http retries 2 option redispatch maxconn 68400 contimeout 5000 clitimeout 60000 srvtimeout 60000 timeout queue 30000 frontend ios_proxy_fe bind 10.11.50.15:80 mode http maxconn 72000 acl bad_guys_ip src -f /etc/haproxy/block_ip.txt acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/xfwd_block_ip.txt block if bad_guys_ip acl prodapi_proxy path_beg /api acl no_manager path_beg /manager block if no_manager option http-server-close option forwardfor use_backend prodapi_proxy_be if prodapi_proxy default_backend ios_proxy_be frontend ios_sproxy_fe bind 10.11.50.15:443 ssl crt /etc/haproxy/certs/haproxy.pem mode http maxconn 72000 acl bad_guys_ip src -f /etc/haproxy/block_ip.txt acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/xfwd_block_ip.txt block if bad_guys_ip option http-server-close option forwardfor # add "X-Proto: SSL" to requests coming via port 443 acl is-ssl dst_port 443 acl prod_api path_beg /api reqadd X-Proto:\ SSL if is-ssl default_backend ios_proxy_be