Hi, On Fri, Sep 30, 2016 at 09:09:07AM +0530, Rajesh Mahajan wrote: > Hi > We are using haproxy as loadbalancer also want to use it as ssl terminal > but we are not getting performance as we get though nginx system. Please > suggest the best configuration to achive the same.I have tried all ssl > optimization on both haproxy and nginx. > Below are performance stats
Your test reports many errors for both products and incorrect test conditions, so in practice until you can either : - demonstrate that these errors are expected - solve them you can't tell anything about "performance" (which seems low for both products, as both nginx and haproxy are known for being much faster than this). Look : > =========== NGINX PERFORMACE ==================== > > httperf --hog --timeout=5 --client=0/1 --server=192.168.57.30 --port=8443 > --uri=/index.html --http-version=1.0 --rate=500 --send-buffer=4096 > --recv-buffer=16384 --ssl --ssl-no-reuse --num-conns=5000 --num-calls=2 > httperf: warning: open file limit > FD_SETSIZE; limiting max. # of open > files to FD_SETSIZE Maximum connect burst length: 19 This warning basically says that it will not be able to handle all connections in parallel and that you don't know what will happen. > Total: connections 4666 requests 9332 replies 9332 test-duration 11.675 s > > Connection rate: 399.6 conn/s (2.5 ms/conn, <=1022 concurrent connections) This one is quite low and makes me suspect you're running inside a VM, in which case your tests probably don't mean anything if other VMs are running in parallel on the same machine. > Errors: total 334 client-timo 0 socket-timo 0 connrefused 0 connreset 0 > Errors: fd-unavail 334 addrunavail 0 ftab-full 0 other 0 This one means that httperf produced its own error and had to abort some connections due to its own configuration, which totally invalidates the test. > ========= HA PROXY PERFORMACE ============== > > httperf --hog --timeout=5 --client=0/1 --server=192.168.57.30 --port=443 > --uri=/index.html --http-version=1.0 --rate=500 --send-buffer=4096 > --recv-buffer=16384 --ssl --ssl-no-reuse --num-conns=5000 --num-calls=2 > httperf: warning: open file limit > FD_SETSIZE; limiting max. # of open > files to FD_SETSIZE Maximum connect burst length: 394 Here same warning again with a larger max conn burst length (why ?) > Total: connections 1666 requests 2933 replies 1267 test-duration 16.194 s > > Connection rate: 102.9 conn/s (9.7 ms/conn, <=1022 concurrent connections) This performance level becomes ridiculous. > Errors: total 5000 client-timo 399 socket-timo 0 connrefused 0 connreset > 1267 Errors: fd-unavail 3334 addrunavail 0 ftab-full 0 other 0 And here you can see that 2/3 of the connections failed due to configuration issues on httperf itself. Also a few comments below : > ssl-default-bind-ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS Also I seem to remember that ECDH is different from ECDHE and was slowing down the handshake. You should definitely check Mozilla's generator below to ensure that your nginx and haproxy configs are optimal : https://mozilla.github.io/server-side-tls/ssl-config-generator/ > ============== MY SYSTEM========== > > 8 core 8 GM RAM > > sign verify sign/s verify/s > > rsa 512 bits 0.000157s 0.000013s 6380.2 74831.5 > rsa 1024 bits 0.000782s 0.000040s 1278.0 24937.4 > rsa 2048 bits 0.004854s 0.000142s 206.0 7065.4 > rsa 4096 bits 0.034281s 0.000537s 29.2 1863.5 Here it's quite low... Very low... Make me think of an embedded device, but the 8 GB RAM invalidates this option, hence I suspect it's a limited VM. Here's what I have here on my home PC, it's 41 times faster for half the core count, so surely there's something wrong on your setup (!) : - single core : sign verify sign/s verify/s rsa 512 bits 0.000034s 0.000002s 29675.7 519937.1 rsa 1024 bits 0.000072s 0.000004s 13851.6 222222.3 rsa 2048 bits 0.000466s 0.000014s 2143.9 73890.8 rsa 4096 bits 0.003133s 0.000048s 319.2 21014.7 - 4 cores : rsa 512 bits 0.000008s 0.000000s 117647.1 2000000.0 rsa 1024 bits 0.000018s 0.000001s 55555.6 950000.0 rsa 2048 bits 0.000118s 0.000003s 8491.2 285714.3 rsa 4096 bits 0.000793s 0.000012s 1261.0 83333.3 Hoping this helps, Willy
