On Tue, Sep 9, 2014 at 4:01 PM, <[email protected]> wrote: > Hello, > > I have HAproxy 1.5.4 installed in Debian Wheezy x64. My configuration file > is attached. I want session stickiness so i use appsession attribute but I > have a serious performance issue with ssl. Initially I didn't use nbproc > parameter and haproxy could only serve 50reqs/sec with 100% cpu using only > one core in a 8-core virtual machine. This is very low performance for my > expectations, so I considered using nbproc=8 but then, as I have read, I > can't have correct session stickiness. > Is it expected that haproxy has initially (with 1 process) so low > performance with ssl? > Do I necessarily have to choose between performance and stickiness in my > case, because I can't give up on either. Is there an alternative for > session stickiness in multi-process haproxy? > > Kind regards, > Evie
Hi Evie, how big is your SSL key size??? What type of web application are you load-balancing and what type of clients have access to your application? Can you explain us the reason of the cipher you forced? (ssl-default-bind-ciphers) Also, you're using httpclose mode, maybe using http-keep-alive' would help a bit. can you check if your conntrack table is full? (using dmesg) you can also use log-format and log TLS version, negociated cipher and SSL session ID. If SSL session ID change all the time for a single user, it means you're not resuming SSL session and spend your time computing keys. Baptiste
