> Hi all,
>
> haproxy is used for http and https load balancing with TLS termination
> on haproxy side.
>
> I'm using openbsd -stable on this box. I got CPU saturated with
> 250Mbps traffic in/out summary on frontend NICs and 3000 ESTABLISHED
> connections on frontent interface to haproxy.
Remove:
option http-server-close
timeout http-keep-alive 1s
and replace them with:
option http-keep-alive
option prefer-last-server
timeout http-keep-alive 10s
This will enable keep-alive mode with 10 seconds timeout, that should
decrease the CPU load by an order of magnitude.
The problem with this SSL/TLS terminating setups is the cost involved
in the SSL/TLS handshake (the actual throughput doesn't really matter).
Also, I suggest to remove the "no-tls-tickets" option, so that your clients
can use both SSL sessions and TLS tickets to resume a SSL/TLS session
without starting a full handshake.
Lukas
