On Wed, Apr 22, 2015 at 3:34 PM, Krishna Kumar (Engineering) < krishna...@flipkart.com> wrote:
> Hi Baptists, > > Sorry I didn't provide more details earlier. > > > -------------------------------------------------------------------------------------------------- > 1. root@HAPROXY:~# haproxy -vv > > HA-Proxy version 1.5.8 2014/10/31 > Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> > > Build options : > TARGET = linux2628 > CPU = generic > CC = gcc > CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat > -Werror=format-security -D_FORTIFY_SOURCE=2 > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.7 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.30 2012-02-04 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_TRANSPARENT > IPV6_TRANSPARENT IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > -------------------------------------------------------------------------------------------------- > 2. Configuration file: > global > daemon > maxconn 60000 > quiet > nbproc 2 > maxpipes 16384 > user haproxy > group haproxy > stats socket /var/run/haproxy.sock mode 600 level admin > stats timeout 2m > > defaults > option dontlognull > option forwardfor > option http-server-close > retries 3 > option redispatch > maxconn 60000 > option splice-auto > option prefer-last-server > timeout connect 5000ms > timeout client 50000ms > timeout server 50000ms > > frontend www-http > bind *:80 > reqadd X-Forwarded-Proto:\ http > default_backend www-backend > > frontend www-https > bind *:443 ssl crt /etc/ssl/private/haproxy.pem ciphers > AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH > rspadd Strict-Transport-Security:\ max-age=31536000 > Just a note, if you want to use STS you need to put your site on the HSTS list for each browser ie Chrome and Firefox have separate ones etc. > reqadd X-Forwarded-Proto:\ https > default_backend www-backend > > userlist stats-auth > group admin users admin > user admin insecure-password admin > group readonly users user > user user insecure-password user > > backend www-backend > mode http > maxconn 60000 > stats enable > stats uri /stats > acl AUTH http_auth(stats-auth) > acl AUTH_ADMIN http_auth(stats-auth) admin > stats http-request auth unless AUTH > balance roundrobin > option prefer-last-server > option forwardfor > option splice-auto > option splice-request > option splice-response > compression offload > compression algo gzip > compression type text/html text/plain text/javascript > application/javascript application/xml text/css application/octet-stream > server nginx-1 192.168.122.101:80 maxconn 15000 cookie S1 check > server nginx-2 192.168.122.102:80 maxconn 15000 cookie S2 check > server nginx-3 192.168.122.103:80 maxconn 15000 cookie S3 check > server nginx-4 192.168.122.104:80 maxconn 15000 cookie S4 check > And where is your cookie and the checks setup? > > -------------------------------------------------------------------------------------------------- > > 3. A 24 processor Ubuntu system starts 2 nginx VM's (KVM, 2 vcpu, 1GB), > and 1 haproxy VM (KVM, 2 vcpu, 1GB). 'ab' runs on the host and tests with > either the haproxy VM, or directly to one of the 2 nginx VM's. > > Sometimes during the test, I also see many "nf_conntrack: table full, > dropping > packet" messages on the host system. > > Thanks. > - Krishna > > > On Tue, Apr 21, 2015 at 1:29 PM, Krishna Kumar (Engineering) < > krishna...@flipkart.com> wrote: > >> Hi all, >> >> While running the command: :" ab -n 100000 -c 1000 192.168.122.110:80/256 >> ", >> the haproxy stats page shows the 4 different backend servers changing >> status >> between "Active up, going down", "Active or backup down", "Down", "Backup >> down, going UP", sometimes all 4 backends are in DOWN state. The result is >> very >> poor performance reported by 'ab' as compared to running directly against >> a >> single backend. >> >> What could be the reason for this continuous state change? >> >> root@HAPROXY:~# haproxy -vv >> HA-Proxy version 1.5.8 2014/10/31 >> Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> >> >> Build options : >> TARGET = linux2628 >> CPU = generic >> CC = gcc >> CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat >> -Werror=format-security -D_FORTIFY_SOURCE=2 >> OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 >> >> Default settings : >> maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 >> >> Encrypted password support via crypt(3): yes >> Built with zlib version : 1.2.7 >> Compression algorithms supported : identity, deflate, gzip >> Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 >> Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 >> OpenSSL library supports TLS extensions : yes >> OpenSSL library supports SNI : yes >> OpenSSL library supports prefer-server-ciphers : yes >> Built with PCRE version : 8.30 2012-02-04 >> PCRE library supports JIT : no (USE_PCRE_JIT not set) >> Built with transparent proxy support using: IP_TRANSPARENT >> IPV6_TRANSPARENT IP_FREEBIND >> >> Available polling systems : >> epoll : pref=300, test result OK >> poll : pref=200, test result OK >> select : pref=150, test result OK >> Total: 3 (3 usable), will use epoll. >> >> >> Thanks, >> - Krishna Kumar >> >> >