Haproxy SSL performance vs nginx

[Rajesh Mahajan]

Hi
We are using haproxy as loadbalancer also want to use it as ssl terminal
but we are not getting performance as we get though nginx system. Please
suggest the best configuration to achive the same.I have tried all ssl
optimization on both haproxy and nginx.
Below are performance stats


=========== NGINX PERFORMACE ====================

httperf --hog --timeout=5 --client=0/1 --server=192.168.57.30 --port=8443
--uri=/index.html --http-version=1.0 --rate=500 --send-buffer=4096
--recv-buffer=16384 --ssl --ssl-no-reuse --num-conns=5000 --num-calls=2
httperf: warning: open file limit > FD_SETSIZE; limiting max. # of open
files to FD_SETSIZE Maximum connect burst length: 19

Total: connections 4666 requests 9332 replies 9332 test-duration 11.675 s

Connection rate: 399.6 conn/s (2.5 ms/conn, <=1022 concurrent connections)
Connection time [ms]: min 111.5 avg 1529.2 max 6579.8 median 1369.5 stddev
1042.4 Connection time [ms]: connect 937.5 Connection length
[replies/conn]: 2.000

Request rate: 799.3 req/s (1.3 ms/req) Request size [B]: 100.0

Reply rate [replies/s]: min 743.1 avg 754.0 max 764.9 stddev 15.4 (2
samples) Reply time [ms]: response 295.9 transfer 0.0 Reply size [B]:
header 238.0 content 612.0 footer 0.0 (total 850.0) Reply status: 1xx=0
2xx=9332 3xx=0 4xx=0 5xx=0

CPU time [s]: user 5.94 system 5.74 (user 50.9% system 49.1% total 100.0%)
Net I/O: 741.5 KB/s (6.1*10^6 bps)

Errors: total 334 client-timo 0 socket-timo 0 connrefused 0 connreset 0
Errors: fd-unavail 334 addrunavail 0 ftab-full 0 other 0

============ NGINX CONFIG ================

server {

    listen 8444;
    listen 8443 ssl;

    access_log off;
    server_name your_domain.com;
    ssl_certificate /usr/local/nginx/conf/ssl/nginx.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/nginx.key;

    ssl_session_cache   shared:SSL:500m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers
ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    location /RestModel {
        proxy_pass http://tomcat;
    }
    location / {
        root   html;
        index  index.html index.htm;
    }

========= HA PROXY PERFORMACE ==============

httperf --hog --timeout=5 --client=0/1 --server=192.168.57.30 --port=443
--uri=/index.html --http-version=1.0 --rate=500 --send-buffer=4096
--recv-buffer=16384 --ssl --ssl-no-reuse --num-conns=5000 --num-calls=2
httperf: warning: open file limit > FD_SETSIZE; limiting max. # of open
files to FD_SETSIZE Maximum connect burst length: 394

Total: connections 1666 requests 2933 replies 1267 test-duration 16.194 s

Connection rate: 102.9 conn/s (9.7 ms/conn, <=1022 concurrent connections)
Connection time [ms]: min 3097.0 avg 6016.3 max 15045.0 median 4477.5
stddev 3255.4 Connection time [ms]: connect 2828.6 Connection length
[replies/conn]: 1.000

Request rate: 181.1 req/s (5.5 ms/req) Request size [B]: 100.0

Reply rate [replies/s]: min 5.0 avg 77.0 max 126.0 stddev 63.7 (3 samples)
Reply time [ms]: response 3715.0 transfer 5.5 Reply size [B]: header 105.0
content 107.0 footer 0.0 (total 212.0) Reply status: 1xx=0 2xx=0 3xx=0
4xx=0 5xx=1267

CPU time [s]: user 9.67 system 6.53 (user 59.7% system 40.3% total 100.0%)
Net I/O: 33.9 KB/s (0.3*10^6 bps)

Errors: total 5000 client-timo 399 socket-timo 0 connrefused 0 connreset
1267 Errors: fd-unavail 3334 addrunavail 0 ftab-full 0 other 0

=========== HA PROXY CONFIG ==============

global
    maxconn 20000
    maxconnrate 15000
    ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

    ssl-default-bind-options no-sslv3 no-tls-tickets
    tune.ssl.cachesize 40000
    tune.ssl.default-dh-param 2048
    ssl-default-server-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!

    ssl-default-server-options no-sslv3 no-tls-tickets
    nbproc 8
    cpu-map 1 0
    cpu-map 2 1
    cpu-map 3 2
    cpu-map 4 3
    cpu-map 5 4
    cpu-map 6 5
    cpu-map 7 6
    cpu-map 8 7

    frontend myfrontend
        bind :81
        bind :443 ssl crt /home/rajesh/haproxy-conf/ssl/api.test.pem
        default_backend mybackend
        bind-process 1 2 3 4 5 6 7 8
    backend mybackend

            option http-keep-alive
            option httpchk HEAD / HTTP/1.0
            server cdn1 127.0.0.1:8442

}

============== MY SYSTEM==========

8 core 8 GM RAM

              sign    verify    sign/s verify/s

rsa 512 bits  0.000157s 0.000013s 6380.2 74831.5
rsa 1024 bits 0.000782s 0.000040s 1278.0 24937.4
rsa 2048 bits 0.004854s 0.000142s 206.0 7065.4
rsa 4096 bits 0.034281s 0.000537s 29.2 1863.5