Hey Lukas,
On Dec 22, 2014, at 2:16 AM, Lukas Tribus <[email protected]> wrote: > Hi Sergei, > > >> Full configuration is in attachment. Briefly, we have 1 haproxy, and 2 >> backend (nginx), tests were running against static file (1kb, and 5kb). >> Haproxy listen on 443 in tcp mode (“listen tcp mode”), then listen >> figure out what frontend to use (“use-server <frontend> if <condition>), >> and send data with “send-proxy/accept-proxy” to frontend, which in turn >> sends it to backend. Haproxy is running in multiple process mode (nbproc >> 14, 1-10 - for SSL termination (listen), 11-14 - for HTTP (front ends + >> backend). I’ve tried to simplify configuration via using “use_backend” >> in “listen” section, but didn’t notice any difference. >> >> The problem I see that total number of connections (stot metric) stops >> at 200k with HTTPS, but goes over 400k-500k with plain HTTP. Each haproxy >> process stops at 20k (we’re running 10 processes). Graph attached. I ran >> few different tests and every time 200k seems to be the limit. > > > Just a few suggestion to narrow it down: > > What about if you run with 5 processes instead of 10? Ar you still maxing out > at 200k session (which would increase the per process sessions to 40k) or are > you maxing out at 100k (maintaing max 20k per process)? I’ve tried to decrease number of processes - caused decrease in stot as well. > > How are your benchmarking this, are you sure the limit is not on the client > (benchmark) site? I thought so, but I’m using about ~10 virtual servers, each is running multiple copies of testing app (python code). Increase of number of virtual server doesn’t lead to increase in connections, unfortunately. > Can you provide the output of "haproxy -vv"? HA-Proxy version 1.5.4 2014/09/02 Copyright 2000-2014 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3.4 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.12 2011-01-15 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. > > I would suggest to bump both maxconn settings to a larger value for this > benchmark (maxconn also affects ulimit). > > > HAProxy 1.5.9 contains some improvements in the ssl code for low memory > conditions, however, I'm not confident that this will improve your situation. > I’ll give it a try, thanks! > In any case, if you want to give it a try, you can install latest stable > binary via apt-get from here [1], if you don't want to build from source. > > > > Regards, > > Lukas > > > [1] http://haproxy.debian.net/ > > > >
