Hello, I’ve been testing haproxy’s SSL termination, to figure out its limit on our hardware: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz (12 cores, 24 with HT) 24Gb RAM 2Gbit NIC
Full configuration is in attachment. Briefly, we have 1 haproxy, and 2 backend (nginx), tests were running against static file (1kb, and 5kb). Haproxy listen on 443 in tcp mode (“listen tcp mode”), then listen figure out what frontend to use (“use-server <frontend> if <condition>), and send data with “send-proxy/accept-proxy” to frontend, which in turn sends it to backend. Haproxy is running in multiple process mode (nbproc 14, 1-10 - for SSL termination (listen), 11-14 - for HTTP (front ends + backend). I’ve tried to simplify configuration via using “use_backend” in “listen” section, but didn’t notice any difference. The problem I see that total number of connections (stot metric) stops at 200k with HTTPS, but goes over 400k-500k with plain HTTP. Each haproxy process stops at 20k (we’re running 10 processes). Graph attached. I ran few different tests and every time 200k seems to be the limit. It’s really bothering me, since I can’t find any explanation why would it stop on 20k per process, and it doesn’t seem like haproxy hitting any limit - logs looks okay, no errors like “out of memory, or no free ports, etc”. And it doesn’t look like it moves, more like hitting some configuration limit, which I couldn’t figure out. Is anyone using haproxy for SSL terminations, what’s your stot? Is there any possible openssl configuration/compilation options which might cause such behavior? PS: please include me in Cc, I’m not subscribed to list.
haproxy.cfg
Description: Binary data
