On Wed, May 07, 2014 at 10:28:18AM +0200, John-Paul Bader wrote: > Willy Tarreau wrote: > > >It's very interesting, it contains a call to ssl_update_cache(). I didn't > >know you were using SSL, but in multi-process mode we have the shared > >context > >model to share the SSL sessions between processes. > > Yes, sorry. In the initial email on this thread I posted our > configuration which included the SSL setup.
Yes I remember having seen your config, but unfortunately I'm having a hard time remembering all the configs I see during a single day, I'm sorry. > We're using OpenSSL 1.0.1g 7 Apr 2014 to benefit from the AES-NI > acceleration. OK. > >Oh and BTW, I can confirm that ktrace is really poor compared to strace :-) > > haproxy does not include DTrace probes by any chance right? :) No, and I have no idea how this works either. But if you feel like it can provide some value and be done without too much effort, feel free to try :-) > >>So it seems unrelated to kqueue as well. Later I will try to run the > >>test with a fraction of the traffic without nbproc (all the traffic is > >>too much for one process) > > > >That would be great! You can try to build with "USE_PRIVATE_CACHE=1" in > >order to disable session sharing. > > Right now I'm running a test just with disabled nbproc. Next I will try > to recompile with "USE_PRIVATE_CACHE=1" Great. > Do I have to pass that option like this: > > make CFLAGS="-g -O0" USE_PRIVATE_CACHE=1 ? Yes that's the principle. You can look at the makefile, all build options are referenced at the top. > These are our current build options - for completeness: > > haproxy -vv > HA-Proxy version 1.5-dev24-8860dcd 2014/04/26 BTW, be careful, a few bugs introduced in dev23 on ACLs were fixed after dev24. So with this version, "acl foo xxx -i yyy" will not work for example. Balance url_param is broken as well. All of them are fixed in latest snapshot though. > Copyright 2000-2014 Willy Tarreau <[email protected]> > > Build options : > TARGET = freebsd > CPU = generic > CC = cc > CFLAGS = -g -O0 -DFREEBSD_PORTS > OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.7 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1g 7 Apr 2014 > Running on OpenSSL version : OpenSSL 1.0.1g 7 Apr 2014 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.34 2013-12-15 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY > > Available polling systems : > kqueue : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use kqueue. OK, nothing unusual here. Thanks for the detailed output, it always helps! Best regards, Willy
