I am having some problems with SSL negotiation taking a really long
time. There were 20 seconds between client hello and server hello on
one session noticed with a packet capture, 28 seconds on another.
Currently that connection is being handled by a load balancer based on
the LVS-NAT solution - the linux kernel.
Because I saw something about slow SSL happening with LVS-NAT, and I
cannot use LVS-DR because I'm changing the TCP port number at the load
balancer, I've set up an alternate path to the same servers (running
Mule 3.12 with SSL) that uses haproxy 1.5.3.
What I'd like to do now is log how long the SSL negotiation takes, and
be able to tell whether any slowness in that negotiation is from the
client side, server side, or in haproxy itself. Perhaps I'm blind, but
I didn't see any way to do this in the documentation. If I missed
something, please let me know how to do it. If it's not already
possible, how much pain would it be to add?
Below is my full haproxy config, just in case it might become useful.
I've been asked to direct search requests to a different server than
image requests, which is why there are two backends defined. That's
something the other LB solution cannot do, and I've been wanting to
switch this to haproxy anyway precisely for things like that.
I only redacted the public IP address and the domain name, everything
else below is intact:
=========================================================
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
daemon
#debug
#quiet
spread-checks 2
tune.bufsize 65536
ssl-server-verify none
tune.ssl.default-dh-param 2048
defaults
mode http
timeout connect 5s
timeout client 5s
timeout server 5s
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
option abortonclose
# option httpclose
option http-server-close
option http-pretend-keepalive
retries 1
maxconn 1024
timeout connect 5s
timeout client 15s
timeout server 120s
frontend services-test-ai
bind XX.XX.XX.92:443 ssl crt
/etc/pki/tls/certs/combined-ca-key-services.test.ai.REDACTED.com.pem
ciphers ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
default_backend services-ai-search-backend
acl search path_beg -i /services/search
acl request path_beg -i /services/imageRequest
use_backend services-ai-search-backend if search
use_backend services-ai-request-backend if request
backend services-ai-search-backend
timeout check 9990
option httpchk GET /services/testAlive
server fiesta 10.100.2.29:8443 ssl check inter 10s fastinter 3s
rise 3 fall 2 weight 100
server aladdin 10.100.2.84:8443 ssl check inter 10s fastinter 3s
rise 3 fall 2 weight 100 backup
backend services-ai-request-backend
timeout check 9990
option httpchk GET /services/testAlive
server fiesta 10.100.2.29:8443 ssl check inter 10s fastinter 3s
rise 3 fall 2 weight 100 backup
server aladdin 10.100.2.84:8443 ssl check inter 10s fastinter 3s
rise 3 fall 2 weight 100
listen stats 0.0.0.0:8080
stats uri /
=========================================================
Thanks,
Shawn
