Re: General SSL vs. non-SSL Performance

Sat, 19 Mar 2016 20:52:04 -0700 

On 18.03.2016 11:46, Willy Tarreau wrote:
> Hi Christian,
> 
> On Fri, Mar 18, 2016 at 11:31:57AM +0100, Christian Ruppert wrote:
>> I also just stumbled over this:
>> https://software.intel.com/en-us/articles/accelerating-ssl-load-balancers-with-intel-xeon-v3-processors
>> Might be interesting for others as well. So ECC and multi-threaded/process
>> is the way to go it seems.
> 
> Thanks for this one, I had seen it once and lost it! I'll add it to
> the list of articles on the haproxy page not to lose it anymore!
> 
>>> But note that people who have to deal with heavy SSL traffic actually
>>> deal with this in haproxy by using to levels of processing, one for
>>> HTTP and one for TLS. It means that only TLS traffic can be hurt by
>>> handshakes :
>>>
>>>   listen secure
>>>        bind :443 ssl crt foo.pem process 2-32
>>>     mode tcp
>>>        server clear 127.0.0.1:80
>>>
>>>   frontend clear
>>>        bind :80 process 1
>>>     mode http
>>>        use_backend my_wonderful_server_farm
>>>
>>>   ...
>>>
>>
>> Your example would be better and easier but we need the client IP for ACLs
>> and so forth which wouldn't work in tcp mode and there would be no XFF
>> header. So we're duplicating stuff in the frontend but use one backend.
> 
> You don't need, just use the proxy protocol :
> 
>    listen secure
>         bind :443 ssl crt foo.pem process 2-32
>       mode tcp
>         server clear 127.0.0.1:81 send-proxy-v2
> 
>    frontend clear
>         bind 127.0.0.1:81 accept-proxy process 1
>         bind :80 process 1
>       mode http
>         use_backend my_wonderful_server_farm
> 
> Also, if you have one backend with all frontends bound to many processes,
> then all your backends run on these processes, which makes it harder to
> enforce maxconn limitations or to share stick-tables. That's why it's
> much better to only move SSL out of the regular path. Of course if you
> need to pass extra info, you'll have to enable HTTP in the frontend.

Doesn't this setup use a lot of additional sockets for the
send/accept-proxy communication?
I'm using abstract namespace sockets to handle this kind of forwarding:

    listen secure
         bind :443 ssl crt foo.pem process 2-32
         mode tcp
         server clear abns@fclear send-proxy-v2

    frontend clear
         bind abns@fclear accept-proxy process 1
         bind :80 process 1
         mode http
         use_backend my_wonderful_server_farm

Is there any downside to use abstract namespace sockets like this?

Regards,
  Dennis

Reply via email to