Hi, Sorry for minimal details. Will try to elaborate the situation.
We are developing a central log repository in Cloud, for which we are using
HAProxy ass log balancer and backend as Flume for further processing.
We are expecting HTTPs traffic from multiple known clients and also we need to
authenticate these client using their client certificates.
When we used in plain HTTP mode, we could able to receive and process around 80
sessions/second at HAProxy. Below is the configuration used.
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
tune.bufsize 16384
tune.maxrewrite 1024
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 100000s
timeout queue 1m
timeout connect 100000s
timeout client 10m
timeout server 10m
timeout http-keep-alive 100000s
timeout check 100000s
maxconn 10000
frontend http_request
bind *:5001
mode http
default_backend handle_http_request
backend handle_http_request
mode http
balance roundrobin
server Flume1 10.15.1.31:5005
listen logstats
bind *:31337
mode http
option httpclose
balance roundrobin
stats uri /
stats realm Haproxy\ Statistics
stats refresh 10s
stats auth svcloud:svcloud
Later we changed the configuration to accept HTTPs traffic and with the same
client & same backend server, the sessions/second dropped to 1. Below is the
configuration used.
global
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
tune.bufsize 16384
tune.maxrewrite 1024
tune.ssl.default-dh-param 2048
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 100000s
timeout queue 1m
timeout connect 100000s
timeout client 10m
timeout server 10m
timeout http-keep-alive 100000s
timeout check 100000s
maxconn 10000
frontend http_request
bind *:5001 ssl crt ./certs/server.pem ca-file
./certs/ca.crt verify required
mode http
default_backend handle_http_request
backend handle_http_request
mode http
balance roundrobin
server Flume1 10.15.1.31:5005
listen logstats
bind *:31337
mode http
option httpclose
balance roundrobin
stats uri /
stats realm Haproxy\ Statistics
stats refresh 10s
stats auth svcloud:svcloud
The server (8 core 32 GB RAM CentOS6.5) & the environment are same for the both
tests. Below are the sysctl parameters added for both the tests.
net.core.somaxconn = 32768
net.ipv4.conf.all.send_redirects = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 262144
net.ipv4.tcp_mem = 200000 280000 300000
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_rmem = 4096 87380 4120928
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_wmem = 4096 16384 4120928
net.ipv4.netfilter.ip_conntrack_max = 10485760
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 15
net.netfilter.nf_conntrack_max = 10485760
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15
--regards
Hemanth
-----Original Message-----
From: Baptiste [mailto:[email protected]]
Sent: Monday, November 30, 2015 7:21 PM
To: Hemanth Abbina <[email protected]>
Cc: [email protected]
Subject: Re: HAProxy: Max. throughput using HTTPs client authentication
On Mon, Nov 30, 2015 at 1:20 PM, Hemanth Abbina <[email protected]>
wrote:
> Hi,
>
> We are validating HAProxy for our environment, as our primary load
> balancer to receive HTTPs traffic and also needs to verify clients. We
> are testing it on a 8 core 32 GB CentOS server.
>
> In HTTP mode, we could able to send up to 80 sessions/sec with a
> single HTTP client.
>
> The same setup when used with HTTPs along with client authentication,
> we could get only 1 session/sec. Is this performance expected or can
> we do anything to improve the performance ? Below is the ssl configuration
> used.
>
> bind *:443 ssl crt ./certs/server.pem ca-file ./certs/ca.crt
> verify required
>
>
>
> --regards
>
> Hemanth
Hi,
Sorry, but the numbers you're reporting doesn't make any sense!
Please provide full information about your haproxy box, anything which may help
us understanding what happens, such as your configuration, sysctls, dmesg
output, logs, etc...
Baptiste
