Re: Session stickiness on multi-process haproxy with ssl

evie Wed, 10 Sep 2014 06:54:44 -0700

> On Tue, Sep 9, 2014 at 4:47 PM,  <[email protected]> wrote:
>>> On Tue, Sep 9, 2014 at 4:01 PM,  <[email protected]> wrote:
>>>> Hello,
>>>> I have HAproxy 1.5.4 installed in Debian Wheezy x64. My configuration
file
>>>> is attached. I want session stickiness so i use appsession attribute but
>>>> I
>>>> have a serious performance issue with ssl. Initially I didn't use nbproc
>>>> parameter and haproxy could only serve 50reqs/sec with 100% cpu using
only
>>>> one core in a 8-core virtual machine. This is very low performance
for
>>>> my
>>>> expectations, so I considered using nbproc=8 but then, as I have
read,
>>>> I
>>>> can't have correct session stickiness.
>>>> Is it expected that haproxy has initially (with 1 process) so low
performance with ssl?
>>>> Do I necessarily have to choose between performance and stickiness in my
>>>> case, because I can't give up on either. Is there an alternative for
session stickiness in multi-process haproxy?
>>>> Kind regards,
>>>> Evie
>>> Hi Evie,
>>> how big is your SSL key size???
>> My key is 2048-bit.
>>> What type of web application are you load-balancing and what type of
clients have access to your application?
>> Apache2 webservers are used as backends that serve a django-based site
with user authentication.
>>> Can you explain us the reason of the cipher you forced?
>>> (ssl-default-bind-ciphers)
>>> Also, you're using httpclose mode, maybe using http-keep-alive' would
help a bit.
>> I tested http-keep-alive and a simple cipher such as RC4-SHA suitable for
>> my key but saw no difference.
>>> can you check if your conntrack table is full? (using dmesg)
>>> you can also use log-format and log TLS version, negociated cipher and
SSL session ID.
>>> If SSL session ID change all the time for a single user, it means
you're not resuming SSL session and spend your time computing keys.
>> How can I check if ssl session id changes? Can I override this with a
proxy config if it happens?
>> Thanks
>
> Please keep the ML in Cc :)
>
> You can use the log-format directive below, in your frontend, to log SSL
related informations:
>  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\
> %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
> {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\
> "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1"
>
> then try to anonymize logs and post some lines in attachment.
>
> Baptiste
>


I have included part of the log using two different ciphers. I see some
strange symbols in ssl session id, with both ciphers. More importantly I
noticed that in all urls the ssl_fc_session_id is logged as empty(-) and
is only printed in the log when I hit F5 (the same one is printed after
each refresh). So when I get 50reqs/sec ssl_fc_session_id is logged always
as '-'.

Evie

with cipher RC4-SHA
-------------------
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41974 [10/Sep/2014:13:52:02.280] webfarm~ webfarm/webserver-1 5/0/6/4/15 304 155\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/screen.css\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41975 [10/Sep/2014:13:52:02.280] webfarm~ webfarm/webserver-1 3/0/5/7/15 304 156\- - ---- 6/6/3/4/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/js/jquery-1.7.1.min.js\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41973 [10/Sep/2014:13:52:02.280] webfarm~ webfarm/webserver-1 5/0/5/7/17 304 155\- - ---- 6/6/2/3/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/sexybuttons.css\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41972 [10/Sep/2014:13:52:02.279] webfarm~ webfarm/webserver-1 3/0/5/10/18 304 154\- - ---- 6/6/1/2/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/typo.css\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41971 [10/Sep/2014:13:52:02.282] webfarm~ webfarm/webserver-1 4/0/0/12/16 200 974\- - ---- 6/6/0/1/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/-}\"GET -/site_media/css/results.css\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41970 [10/Sep/2014:13:52:02.295] webfarm~ webfarm/webserver-1 162/0/0/3/165 304 131\- - ---- 6/6/5/6/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/-}\"GET -/site_media/images/clarinel.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41975 [10/Sep/2014:13:52:02.295] webfarm~ webfarm/webserver-1 163/0/0/3/166 200 877\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/images/icons/silk/database_yellow.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41971 [10/Sep/2014:13:52:02.299] webfarm~ webfarm/webserver-1 158/0/0/6/164 304 131\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/-}\"GET -/site_media/images/home.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41972 [10/Sep/2014:13:52:02.297] webfarm~ webfarm/webserver-1 161/0/0/4/166 200 788\- - ---- 6/6/3/4/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/images/icons/silk/text_ab.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41974 [10/Sep/2014:13:52:02.295] webfarm~ webfarm/webserver-1 163/0/0/5/172 200 23422\- - ---- 6/6/5/6/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/images/keyvisual-200.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41973 [10/Sep/2014:13:52:02.297] webfarm~ webfarm/webserver-1 161/0/0/6/170 200 637\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/images/icons/silk/page_white_gear.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41970 [10/Sep/2014:13:52:02.461] webfarm~ webfarm/webserver-1 1/0/0/3/6 200 983\- - ---- 6/6/3/4/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/-}\"GET -/site_media/css/sexybuttons/images/icons/silk/script.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41975 [10/Sep/2014:13:52:02.462] webfarm~ webfarm/webserver-1 3/0/0/5/8 200 621\- - ---- 6/6/5/6/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/images/icons/silk/page_white_text_media_type.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41972 [10/Sep/2014:13:52:02.464] webfarm~ webfarm/webserver-1 3/0/0/5/8 200 3310\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/images/icons/silk/sound_none.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41973 [10/Sep/2014:13:52:02.467] webfarm~ webfarm/webserver-1 2/0/0/4/6 200 818\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/images/icons/silk/numerical_text.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41974 [10/Sep/2014:13:52:02.467] webfarm~ webfarm/webserver-1 3/0/0/4/8 200 443\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/images/icons/silk/text_align_left.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41970 [10/Sep/2014:13:52:02.467] webfarm~ webfarm/webserver-1 2/0/0/5/8 200 888\- - ---- 6/6/3/4/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/-}\"GET -/site_media/css/sexybuttons/images/icons/silk/film.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41971 [10/Sep/2014:13:52:02.463] webfarm~ webfarm/webserver-1 3/0/0/8/11 200 841\- - ---- 6/6/2/3/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/-}\"GET -/site_media/css/sexybuttons/images/icons/silk/picture.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41975 [10/Sep/2014:13:52:02.471] webfarm~ webfarm/webserver-1 2/0/0/3/6 200 356\- - ---- 6/6/1/2/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/stats/img/download_icon.gif\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41972 [10/Sep/2014:13:52:02.473] webfarm~ webfarm/webserver-1 2/0/0/3/5 200 817\- - ---- 6/6/0/1/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/stats/img/view_icon.gif\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41970 [10/Sep/2014:13:52:02.475] webfarm~ webfarm/webserver-1 139/0/0/3/142 304 131\- - ---- 6/6/5/6/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/-}\"GET -/site_media/images/button_top_bg2.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41975 [10/Sep/2014:13:52:02.477] webfarm~ webfarm/webserver-1 138/0/0/5/143 304 130\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/images/bg_search.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41974 [10/Sep/2014:13:52:02.475] webfarm~ webfarm/webserver-1 140/0/0/4/144 304 131\- - ---- 6/6/3/4/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/images/button_top_bg.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41971 [10/Sep/2014:13:52:02.475] webfarm~ webfarm/webserver-1 139/0/0/5/144 304 132\- - ---- 6/6/2/3/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/-}\"GET -/site_media/images/handmadepaper.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41972 [10/Sep/2014:13:52:02.479] webfarm~ webfarm/webserver-1 136/0/0/6/142 304 130\- - ---- 6/6/1/2/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/images/button_top_gray_bg.png\HTTP/1.1"
Sep 10 13:52:02 myhost haproxy[16793]: 147.***.***.***:41973 [10/Sep/2014:13:52:02.474] webfarm~ webfarm/webserver-1 142/0/0/4/147 200 540\- - ---- 6/6/0/1/0 0/0 \{TLSv1.2/RC4-SHA/proxy.com/ï¿½#027tï¿½Fï¿½ï¿½J$U{ï¿½ï¿½Óï¿½#035ï¿½|/ï¿½xï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½}\"GET -/site_media/css/sexybuttons/images/icons/silk/bullet_plus.png\HTTP/1.1"

with cipher: kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
----------------------------------------------------------------------------------------
Sep 10 13:55:25 myhost haproxy[16872]: 147.***.***.***:42011 [10/Sep/2014:13:55:25.358] webfarm~ webfarm/webserver-1 2/0/0/3/5 304 132\- - ---- 6/6/0/1/0 0/0 \{TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/proxy.com/#036ï¿½+X+ï¿½:#025Dï¿½ï¿½#010#024c%#030d`ï¿½ï¿½ï¿½ï¿½wtï¿½Mï¿½#027Oï¿½dï¿½}\"GET -/site_media/images/teaser04.png\HTTP/1.1"
Sep 10 13:55:25 myhost haproxy[16872]: 147.***.***.***:42010 [10/Sep/2014:13:55:25.359] webfarm~ webfarm/webserver-1 138/0/0/4/142 304 130\- - ---- 6/6/5/6/0 0/0 \{TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/proxy.com/#036ï¿½+X+ï¿½:#025Dï¿½ï¿½#010#024c%#030d`ï¿½ï¿½ï¿½ï¿½wtï¿½Mï¿½#027Oï¿½dï¿½}\"GET -/site_media/images/button_top_gray_bg.png\HTTP/1.1"
Sep 10 13:55:25 myhost haproxy[16872]: 147.***.***.***:42013 [10/Sep/2014:13:55:25.359] webfarm~ webfarm/webserver-1 138/0/0/3/141 304 130\- - ---- 6/6/4/5/0 0/0 \{TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/proxy.com/#036ï¿½+X+ï¿½:#025Dï¿½ï¿½#010#024c%#030d`ï¿½ï¿½ï¿½ï¿½wtï¿½Mï¿½#027Oï¿½dï¿½}\"GET -/site_media/images/bg_search.png\HTTP/1.1"
Sep 10 13:55:25 myhost haproxy[16872]: 147.***.***.***:42012 [10/Sep/2014:13:55:25.359] webfarm~ webfarm/webserver-1 138/0/0/5/143 304 131\- - ---- 6/6/3/4/0 0/0 \{TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/proxy.com/#036ï¿½+X+ï¿½:#025Dï¿½ï¿½#010#024c%#030d`ï¿½ï¿½ï¿½ï¿½wtï¿½Mï¿½#027Oï¿½dï¿½}\"GET -/site_media/images/button_top_bg2.png\HTTP/1.1"
Sep 10 13:55:25 myhost haproxy[16872]: 147.***.***.***:42011 [10/Sep/2014:13:55:25.364] webfarm~ webfarm/webserver-1 134/0/0/4/138 304 131\- - ---- 6/6/2/3/0 0/0 \{TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/proxy.com/#036ï¿½+X+ï¿½:#025Dï¿½ï¿½#010#024c%#030d`ï¿½ï¿½ï¿½ï¿½wtï¿½Mï¿½#027Oï¿½dï¿½}\"GET -/site_media/images/button_bg.png\HTTP/1.1"
Sep 10 13:55:25 myhost haproxy[16872]: 147.***.***.***:42008 [10/Sep/2014:13:55:25.359] webfarm~ webfarm/webserver-1 138/0/0/5/143 304 131\- - ---- 6/6/1/2/0 0/0 \{TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/proxy.com/-}\"GET -/site_media/images/button_top_bg.png\HTTP/1.1"
Sep 10 13:55:25 myhost haproxy[16872]: 147.***.***.***:42009 [10/Sep/2014:13:55:25.361] webfarm~ webfarm/webserver-1 136/0/0/6/142 304 132\- - ---- 6/6/1/2/0 0/0 \{TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/proxy.com/-}\"GET -/site_media/images/handmadepaper.png\HTTP/1.1"
Sep 10 13:55:25 myhost haproxy[16872]: 147.***.***.***:42013 [10/Sep/2014:13:55:25.501] webfarm~ webfarm/webserver-1 1/0/0/3/4 304 130\- - ---- 6/6/0/1/0 0/0 \{TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/proxy.com/#036ï¿½+X+ï¿½:#025Dï¿½ï¿½#010#024c%#030d`ï¿½ï¿½ï¿½ï¿½wtï¿½Mï¿½#027Oï¿½dï¿½}\"GET -/site_media/images/trenner02.png\HTTP/1.1"

Re: Session stickiness on multi-process haproxy with ssl

Reply via email to