Oops, forgot to include system information: Ubuntu Precise (12.04) Linux te-ha001-g4.prod.dal05.fitbit.com 3.5.0-54-generic #81~precise1-Ubuntu SMP Tue Jul 15 04:02:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Haproxy - 1.5.4 libssl - 1.0.1-4ubuntu5.20
On Dec 21, 2014, at 9:53 PM, Sergei Kononov <[email protected]> wrote: > Hello, > > I’ve been testing haproxy’s SSL termination, to figure out its limit on our > hardware: > Intel(R) Xeon(R) CPU X5675 @ 3.07GHz (12 cores, 24 with HT) > 24Gb RAM > 2Gbit NIC > > Full configuration is in attachment. Briefly, we have 1 haproxy, and 2 > backend (nginx), tests were running against static file (1kb, and 5kb). > Haproxy listen on 443 in tcp mode (“listen tcp mode”), then listen figure out > what frontend to use (“use-server <frontend> if <condition>), and send data > with “send-proxy/accept-proxy” to frontend, which in turn sends it to > backend. Haproxy is running in multiple process mode (nbproc 14, 1-10 - for > SSL termination (listen), 11-14 - for HTTP (front ends + backend). I’ve tried > to simplify configuration via using “use_backend” in “listen” section, but > didn’t notice any difference. > > The problem I see that total number of connections (stot metric) stops at > 200k with HTTPS, but goes over 400k-500k with plain HTTP. Each haproxy > process stops at 20k (we’re running 10 processes). Graph attached. I ran few > different tests and every time 200k seems to be the limit. > > It’s really bothering me, since I can’t find any explanation why would it > stop on 20k per process, and it doesn’t seem like haproxy hitting any limit - > logs looks okay, no errors like “out of memory, or no free ports, etc”. And > it doesn’t look like it moves, more like hitting some configuration limit, > which I couldn’t figure out. > > Is anyone using haproxy for SSL terminations, what’s your stot? > Is there any possible openssl configuration/compilation options which might > cause such behavior? > > > PS: please include me in Cc, I’m not subscribed to list. > > > <haproxy.cfg> > > <stot_per_listen.png>
