Hi Florian, On Mon, May 19, 2014 at 05:05:15PM +0200, Florian Munz wrote: > Hello, > > we're trying to set up HAProxy 1.5-dev25 to terminate SSL and load > balance to various back-ends. From our benchmarks it seems we need to > run haproxy with nbproc higher than 1 to scale out SSL handshakes. So we > tested the setup described here: > > https://www.mail-archive.com/[email protected]/msg13104.html > > and quickly ran into problems with what looks like source-port > exhaustion between ssl-front and clear-front. We then followed the > approach described by Stack Overflow > (http://brokenhaze.com/blog/2014/03/25/how-stack-exchange-gets-the-most-out-of-haproxy/) > > and configured multiple `server` and `bind` on local IPs.
Ah, not fun, cloudflare error for now. But I see what you're talking about (one "server" per "bind" on the other side). > That seems to work fine for now, but I have a few questions about this > setup: > > * Is the right way to do this in HAProxy? At least it scales better (since you're not limited to 64k connections per destination ip:port anymore). But since version 1.5-dev25, you have unix sockets and abstract namespace sockets which have the benefit of showing a lower latency (2.5 times lower than TCP) and not consuming ports, so they're better suited for local communications. > * Should the ssl-front run in tcp mode or in http mode? In this case, both modes are usable. But I tend to consider that for the sake of simplicity, centralizing all HTTP configuration into a single place (clear-front) and doing only TCP forwarding in the SSL instances is easier to manage. However if at some point you need to pass some SSL-related information to the server, you'll probably have to switch the front side to HTTP. > * Where do I configure `timeout client`, in the ssl-front or clear-front? Both :-) To be more precise, the one in the ssl front will serve for dead clients etc... Hence to ensure that you don't stack up connections. The one in the clear-front is more application specific. In order to avoid such concerns, just declare a defaults section before the two, and put there your usual settings like timeouts and so on. > Here is the current config we're running with (without the backends): > > https://gist.github.com/theflow/3593c5fcc0bfe206c8f4 Ah you already used the defaults section, that's fine. Warning, you have a syntax issue here : timeout client 2m if host_is_api It's not correct. That sets your timeout to 2m, because the rest of the line after the value is simply ignored. Regards, Willy
