wow! Thanks, again
Gerd -------- Weitergeleitete Nachricht -------- Von: Pavlos Parissis <pavlos.paris...@gmail.com> An: Andrew Hayworth <andrew.haywo...@getbraintree.com>, Gerd Mueller <G erd.muel...@mikatiming.de> Kopie: haproxy@formilux.org <haproxy@formilux.org> Betreff: Re: ssl offloading Datum: Sun, 3 Apr 2016 22:37:41 +0200 On 01/04/2016 04:20 μμ, Andrew Hayworth wrote: > > Hi there - > > Have you considered HAProxy in multiprocess mode? You could have a > frontend spread across multiple threads that terminates SSL. We're > experimenting with such a design here. > It has been mentioned before that you can increase capacity[1] by using: - latest Intel CPUs - Openssl 1.0.2g version or higher - enable multiprocess mode - PIN HAProxy to CPU processes - stop irqbalancer and PIN network interrupt queues to CPUs, using Intel 10GbE cards makes this very easy - tune HAProxy and OS - Enable RFC5077 TLS Session Resumption, tricky in distributed setup - Deploy ECC certificates and enable ECC ciphers. I managed to achieve 450K HTTPS/sec with object size 1K using 22 cores out of 24. Disabling HT and use 10cores gave me 370K HTTPS/sec. HT is disabled for now in our systems. I wouldn't offload ssl to hardware as they are like blackbox. You don't know what they do and how vulnerable they are. Cheers, Pavlos [1] number of https/sec while CPU utilization(user+sys level) <=70% why 70%? because you want to have some room to handle attacks, failures on other nodes/DCs, mistakes by devs( a typo somewhere can increase number of requests and cause a DDOS...)
signature.asc
Description: This is a digitally signed message part