Hi Baptiste,
Thank you very much for the tips. I have nbproc=8 in my configuration. Made
the
following changes:
Added both bind and tune.bufsize change result ->
works.
Removed the tune.bufsize
result -> works.
Added bind-process for frontend and backend as:
bind-process 1,2,3,4,5,6,7,8
result -> works
Removed the bind-process
result -> fails.
(the bind-process change you suggested worked for 16K and also for 128K,
which
was what I was initially testing before going smaller to find that 16K
failed and 4K
worked)
The performance for SSL is also very much lower compared to regular traffic,
it may be related to configuration settings (about 2x to 3x worse):
128 bytes I/O:
SSL: BW: 22168.31 KB/s RPS: 63408.79
NO-SSL: BW: 61193.31 KB/s RPS: 175033.38
64K bytes I/O:
SSL: BW: 506393.55 KB/s RPS: 7884.49 rps
NO-SSL: BW: 1101296.07 KB/s RPS: 17147.05 rps
I will send the configuration a little later, as it needs heavy cleaning
up, there are
lots of things I want to clean before that.
Thanks,
- Krishna Kumar
On Wed, May 13, 2015 at 3:05 PM, Baptiste <[email protected]> wrote:
> On Wed, May 13, 2015 at 10:07 AM, Krishna Kumar (Engineering)
> <[email protected]> wrote:
> > Hi all,
> >
> > I am having the following problem with SSL + large I/O. Details are:
> >
> > Distribution: Debian 7, Kernel: 3.19.6, ab version: 2.3, haproxy: 1.5.12,
> > nginx: 1.2.1
> >
> > $ ab -k -n 100000 -c 100 http://<IP>:80/128K
> > Works correctly.
> >
> > $ ab -k -n 10000 -c 10 https://<IP>:443/4K
> > Works correctly.
> >
> > $ ab -k -n 10000 -c 10 https://<IP>:443/128K
> > No output, finally the only message is:
> > apr_poll: The timeout specified has expired (70007)
> >
> > $ ab -k -n 10000 -c 10 https://<IP>:443/16K
> > No output, finally the only message is:
> > apr_poll: The timeout specified has expired (70007)
> >
> > Configuration file (SSL parts only):
> > defaults:
> > nbproc=8
> > ssl-default-bind-ciphers
> >
> kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
> > ssl-default-bind-options no-sslv3
> >
> > frontend www-https
> > bind *:443 ssl crt /etc/ssl/private/haproxy.pem
> > reqadd X-Forwarded-Proto:\ https
> > default_backend www-backend
> >
> > $ haproxy -vv | egrep -i "ssl|tls"
> > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_TFO=1
> > Built with OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015
> > Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015
> > OpenSSL library supports TLS extensions : yes
> > OpenSSL library supports SNI : yes
> > OpenSSL library supports prefer-server-ciphers : yes
> >
> > I found that setting nbproc=1 works for SSL, but setting it to >1 (2, 4,
> 8)
> > hangs
> > as above. With nbproc=2, I make slightly more progress than with 8
> (system
> > has 48 cores though):
> >
> > $ ab -k -n 10000 -c 10 https://<IP>:443/128K
> > apr_poll: The timeout specified has expired (70007)
> > Total of 200 requests completed
> >
> > I tried adding the following to frontend and backend respectively:
> > To the frontend -> bind-process 1,2
> > To the backend -> bind-process 3,4,5,6,7,8
> >
> > How can I fix this issue?
> >
> > Thanks,
> > - Krishna Kumar
> >
>
> Hi Krishna,
>
> Well, a frontend and a backend must be on the same HAProxy process.
> Please try again by binding all frontend and backend to the same
> process and let us know if you still have the issue.
>
> Also, could you share with us your whole configuration, since some
> global parameters may have some impact on HAProxy.
>
> That said, it's weird it brakes up at 16K...;
> Could you add the following directive in the global section:
> "tune.bufsize 32000" and run again the 16K test and report any issue?
> (it's simply a test and should not be used in any case as a workaround!)
>
> Baptiste
>
