Re: Session stickiness on multi-process haproxy with ssl

Tue, 09 Sep 2014 08:14:24 -0700 

On Tue, Sep 9, 2014 at 4:47 PM,  <[email protected]> wrote:
>> On Tue, Sep 9, 2014 at 4:01 PM,  <[email protected]> wrote:
>>> Hello,
>>>
>>> I have HAproxy 1.5.4 installed in Debian Wheezy x64. My configuration
>>> file
>>> is attached. I want session stickiness so i use appsession attribute but
>>> I
>>> have a serious performance issue with ssl. Initially I didn't use nbproc
>>> parameter and haproxy could only serve 50reqs/sec with 100% cpu using
>>> only
>>> one core in a 8-core virtual machine. This is very low performance for
>>> my
>>> expectations, so I considered using nbproc=8 but then, as I have read, I
>>> can't have correct session stickiness.
>>> Is it expected that haproxy has initially (with 1 process) so low
>>> performance with ssl?
>>> Do I necessarily have to choose between performance and stickiness in my
>>> case, because I can't give up on either. Is there an alternative for
>>> session stickiness in multi-process haproxy?
>>>
>>> Kind regards,
>>> Evie
>>
>>
>> Hi Evie,
>>
>> how big is your SSL key size???
>
> My key is 2048-bit.
>
>> What type of web application are you load-balancing and what type of
>> clients have access to your application?
>
> Apache2 webservers are used as backends that serve a django-based site
> with user authentication.
>
>> Can you explain us the reason of the cipher you forced?
>> (ssl-default-bind-ciphers)
>>
>> Also, you're using httpclose mode, maybe using http-keep-alive' would
>> help a bit.
>>
> I tested http-keep-alive and a simple cipher such as RC4-SHA suitable for
> my key but saw no difference.
>
>> can you check if your conntrack table is full? (using dmesg)
>>
>> you can also use log-format and log TLS version, negociated cipher and
>> SSL session ID.
>> If SSL session ID change all the time for a single user, it means
>> you're not resuming SSL session and spend your time computing keys.
>>
> How can I check if ssl session id changes? Can I override this with a
> proxy config if it happens?
>
> Thanks
>

Please keep the ML in Cc :)

You can use the log-format directive below, in your frontend, to log
SSL related informations:
 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\
%CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
{%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\
"%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\
HTTP/1.1"

then try to anonymize logs and post some lines in attachment.

Baptiste

Reply via email to