Hi Willy,
Many thanks for your time and all the suggestions. This looks great.
I imagine we are going to try those and experiment for the next few days. I
guess we'll hold off on the process binding in ssl_termination (2. below)) for
now as we were experimenting on Debian 7 (which has slightly older kernel),
apples-to-apples thing. Or, rather if I could say - we'll keep that for dessert
:)
Will update on the results.
Thanks,
Eduard
2) you didn't specify any process binding in ssl_termination, so the
kernel wakes all processes with incoming connections, and a few of
them take some and the other ones go back to sleep. With a kernel
3.9 or later, you can multiply the "bind" lines and bind each of them
to a different process. The load will be much better distributed :
listen ssl_termination
bind 0.0.0.0:443 process 1 ssl crt /webapps/ssl/haproxy.new.crt ciphers
AES-128-CBC:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM no-ssl3
bind 0.0.0.0:443 process 2 ssl crt /webapps/ssl/haproxy.new.crt ciphers
AES-128-CBC:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM no-ssl3
...
