SSL termination with nbproc > 1

Wed, 16 Apr 2014 12:45:13 -0700 

Hi

I have haproxy 1.5-dev22 working with SSL termination and it seems to be
using quite a bit of CPU under a not very high load of SSL connections.

ios_sproxy_fe   session rate max 50  sessions max 805

this lb also balances unencrypted traffic
ios_proxy_fe session rate max 720  sessions max 12.8K

Before I enabled SSL termination haproxy used very little CPU to balance
the unencrypted traffic and pass the SSL traffic to the backends via tcp.


  When I add nbproc 2 it splits the load evenly between 2 cores as expected
but that creates difficulties in management via the management socket and
stats interface.

I found this thread  http://comments.gmane.org/gmane.comp.web.haproxy/9328
which discusses offloading the SSL to 2 processes and passing the
unencrypted traffic to other port listeners via send-proxy.

Is this still the recommended way to balance multiple cores with SSL and
nbproc?

My config

global
        stats socket /var/run/haproxy.stat level admin
        pidfile /var/run/haproxy.pid
        log /dev/log local0 notice
        maxconn 71000
        daemon
        nbproc 2
        user haproxy
        group haproxy

defaults
        log global
        log /dev/log local0 notice
        mode http
        retries 2
        option redispatch
                maxconn 68400
        contimeout 5000
        clitimeout 60000
        srvtimeout 60000
        timeout queue 30000

frontend ios_proxy_fe
bind 10.11.50.15:80
mode http
maxconn 72000
acl bad_guys_ip src -f /etc/haproxy/block_ip.txt
acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/xfwd_block_ip.txt
block if bad_guys_ip
acl prodapi_proxy path_beg /api
acl no_manager path_beg /manager
block if no_manager
option http-server-close
option forwardfor
use_backend prodapi_proxy_be if prodapi_proxy
default_backend ios_proxy_be

frontend ios_sproxy_fe
bind 10.11.50.15:443 ssl crt /etc/haproxy/certs/haproxy.pem
mode http
maxconn 72000
acl bad_guys_ip src -f /etc/haproxy/block_ip.txt
acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/xfwd_block_ip.txt
block if bad_guys_ip
option http-server-close
option forwardfor
# add "X-Proto: SSL" to requests coming via port 443
acl is-ssl  dst_port       443
acl prod_api path_beg   /api
reqadd      X-Proto:\ SSL  if is-ssl
default_backend ios_proxy_be

Reply via email to