Thanks Baptiste.
The performance for SSL vs regular is very bad. Could someone help
with that? Following is the configuration, test result and the monitoring
tool results (the last is interesting).
------------- Configuration file -----------------------------
global
daemon
maxconn 60000
quiet
nbproc 6
cpu-map 1 0
cpu-map 2 1
cpu-map 3 2
cpu-map 4 3
cpu-map 5 4
cpu-map 6 5
tune.pipesize 524288
user haproxy
group haproxy
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m
defaults
mode http
option forwardfor
retries 3
option redispatch
maxconn 60000
option splice-auto
option prefer-last-server
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend www-http
bind <HAPROXY>:80
default_backend www-backend
frontend www-https
bind-process 1,2,3,4
bind <HAPROXY>:443 ssl crt /etc/ssl/private/haproxy.pem
default_backend www-backend
backend www-backend
bind-process 1,2,3,4 # Have tested with this removed also, no
difference
mode http
maxconn 60000
stats enable
stats uri /stats
balance roundrobin
option prefer-last-server
option forwardfor
option splice-auto
cookie FKSID prefix indirect nocache
server nginx-1 <NGINX-1>:80 maxconn 20000 check
server nginx-2 <NGINX-2>:80 maxconn 20000 check
-------------- Test results ------------------------------------
Test result without SSL:
Requests per second: 181224.69 [#/sec] (mean)
Transfer rate: 51854.33 [Kbytes/sec] received
Test result with SSL:
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,1024,256
Requests per second: 65313.33 [#/sec] (mean)
Transfer rate: 18688.29 [Kbytes/sec] received
-------------------- Monitoring tools results -------------------
Pidstat/mpstat without SSL:
pidstat shows each haproxy using similar system resources:
Average: 110 4730 19.60 29.20 0.00 48.80 -
haproxy
(and all remaining 5 are similar)
mpstat is similar:
Average: CPU %usr %nice %sys %iowait %irq %soft
%steal %guest %gnice %idle
Average: 0 18.34 0.00 24.12 0.00 0.00 2.26
0.00 0.00 0.00 55.28
Pidstat/mpstat with SSL:
pidstat shows first haproxy (on cpu0) is the only one active, rest are
0% for all fields.
Average: 110 4839 35.64 63.56 0.00 99.20 -
haproxy
mpstat is similar to pidstat:
Average: CPU %usr %nice %sys %iowait %irq %soft
%steal %guest %gnice %idle
Average: all 0.75 0.00 0.82 0.01 0.00 0.52
0.00 0.00 0.00 97.90
Average: 0 35.73 0.00 38.93 0.00 0.00 24.80
0.00 0.00 0.00 0.53
Setting bind-process seems to have the effect of reducing performance to
1/3rd of
original (even for http request, if I add bind-process in the frontend
section of http),
as only the first cpu in bind-process is running. If I remove bind-process,
https of 64
bytes goes up 2.5 times to 140K (lower than http which is 180K). But
ofcourse 64K
doesn't work then.
Thanks again,
- Krishna Kumar
On Wed, May 13, 2015 at 7:05 PM, Baptiste <[email protected]> wrote:
> On Wed, May 13, 2015 at 2:16 PM, Krishna Kumar (Engineering)
> <[email protected]> wrote:
> > Hi Baptiste,
> >
> > Thank you very much for the tips. I have nbproc=8 in my configuration.
> Made
> > the
> > following changes:
> >
> > Added both bind and tune.bufsize change result ->
> > works.
> > Removed the tune.bufsize
> > result -> works.
> > Added bind-process for frontend and backend as:
> > bind-process 1,2,3,4,5,6,7,8
> > result -> works
> > Removed the bind-process
> > result -> fails.
> >
> > (the bind-process change you suggested worked for 16K and also for 128K,
> > which
> > was what I was initially testing before going smaller to find that 16K
> > failed and 4K
> > worked)
> >
> > The performance for SSL is also very much lower compared to regular
> traffic,
> > it may be related to configuration settings (about 2x to 3x worse):
> >
> > 128 bytes I/O:
> > SSL: BW: 22168.31 KB/s RPS: 63408.79
> > NO-SSL: BW: 61193.31 KB/s RPS: 175033.38
> >
> > 64K bytes I/O:
> > SSL: BW: 506393.55 KB/s RPS: 7884.49 rps
> > NO-SSL: BW: 1101296.07 KB/s RPS: 17147.05 rps
> >
> > I will send the configuration a little later, as it needs heavy cleaning
> up,
> > there are
> > lots of things I want to clean before that.
> >
> > Thanks,
> > - Krishna Kumar
> >
>
>
> Ok, so we spotted a bug there :)
> At least, HAProxy should warn you your backend and frontend aren't on
> the same process.
> In my mind, HAProxy silently create a backend to the frontend's
> process, even if it was not supposed to be there. But this behavior
> may have changed recently.
>
> No time to dig further in it, but I'll let Willy know so he can check
> about it.
>
> Simply bear this rule in mind: a frontend and a backend must be on the
> same process.
>
> Baptiste
>
