Thanks a lot. I will look into your suggestion and retry with correct option
On Fri, Sep 30, 2016 at 10:46 AM, Willy Tarreau <[email protected]> wrote: > Hi, > > On Fri, Sep 30, 2016 at 09:09:07AM +0530, Rajesh Mahajan wrote: > > Hi > > We are using haproxy as loadbalancer also want to use it as ssl terminal > > but we are not getting performance as we get though nginx system. Please > > suggest the best configuration to achive the same.I have tried all ssl > > optimization on both haproxy and nginx. > > Below are performance stats > > Your test reports many errors for both products and incorrect test > conditions, so in practice until you can either : > - demonstrate that these errors are expected > - solve them > > you can't tell anything about "performance" (which seems low for both > products, as both nginx and haproxy are known for being much faster > than this). > > Look : > > > =========== NGINX PERFORMACE ==================== > > > > httperf --hog --timeout=5 --client=0/1 --server=192.168.57.30 > --port=8443 > > --uri=/index.html --http-version=1.0 --rate=500 --send-buffer=4096 > > --recv-buffer=16384 --ssl --ssl-no-reuse --num-conns=5000 --num-calls=2 > > httperf: warning: open file limit > FD_SETSIZE; limiting max. # of open > > files to FD_SETSIZE Maximum connect burst length: 19 > > This warning basically says that it will not be able to handle all > connections in parallel and that you don't know what will happen. > > > Total: connections 4666 requests 9332 replies 9332 test-duration 11.675 s > > > > Connection rate: 399.6 conn/s (2.5 ms/conn, <=1022 concurrent > connections) > > This one is quite low and makes me suspect you're running inside a VM, > in which case your tests probably don't mean anything if other VMs are > running in parallel on the same machine. > > > Errors: total 334 client-timo 0 socket-timo 0 connrefused 0 connreset 0 > > Errors: fd-unavail 334 addrunavail 0 ftab-full 0 other 0 > > This one means that httperf produced its own error and had to abort some > connections due to its own configuration, which totally invalidates the > test. > > > ========= HA PROXY PERFORMACE ============== > > > > httperf --hog --timeout=5 --client=0/1 --server=192.168.57.30 --port=443 > > --uri=/index.html --http-version=1.0 --rate=500 --send-buffer=4096 > > --recv-buffer=16384 --ssl --ssl-no-reuse --num-conns=5000 --num-calls=2 > > httperf: warning: open file limit > FD_SETSIZE; limiting max. # of open > > files to FD_SETSIZE Maximum connect burst length: 394 > > Here same warning again with a larger max conn burst length (why ?) > > > Total: connections 1666 requests 2933 replies 1267 test-duration 16.194 s > > > > Connection rate: 102.9 conn/s (9.7 ms/conn, <=1022 concurrent > connections) > > This performance level becomes ridiculous. > > > Errors: total 5000 client-timo 399 socket-timo 0 connrefused 0 connreset > > 1267 Errors: fd-unavail 3334 addrunavail 0 ftab-full 0 other 0 > > And here you can see that 2/3 of the connections failed due to > configuration > issues on httperf itself. > > Also a few comments below : > > > ssl-default-bind-ciphers > > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128: > DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS > > Also I seem to remember that ECDH is different from ECDHE and was slowing > down the handshake. You should definitely check Mozilla's generator below > to ensure that your nginx and haproxy configs are optimal : > > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > > > ============== MY SYSTEM========== > > > > 8 core 8 GM RAM > > > > sign verify sign/s verify/s > > > > rsa 512 bits 0.000157s 0.000013s 6380.2 74831.5 > > rsa 1024 bits 0.000782s 0.000040s 1278.0 24937.4 > > rsa 2048 bits 0.004854s 0.000142s 206.0 7065.4 > > rsa 4096 bits 0.034281s 0.000537s 29.2 1863.5 > > Here it's quite low... Very low... Make me think of an embedded > device, but the 8 GB RAM invalidates this option, hence I suspect > it's a limited VM. Here's what I have here on my home PC, it's > 41 times faster for half the core count, so surely there's > something wrong on your setup (!) : > > - single core : > > sign verify sign/s verify/s > rsa 512 bits 0.000034s 0.000002s 29675.7 519937.1 > rsa 1024 bits 0.000072s 0.000004s 13851.6 222222.3 > rsa 2048 bits 0.000466s 0.000014s 2143.9 73890.8 > rsa 4096 bits 0.003133s 0.000048s 319.2 21014.7 > > - 4 cores : > > rsa 512 bits 0.000008s 0.000000s 117647.1 2000000.0 > rsa 1024 bits 0.000018s 0.000001s 55555.6 950000.0 > rsa 2048 bits 0.000118s 0.000003s 8491.2 285714.3 > rsa 4096 bits 0.000793s 0.000012s 1261.0 83333.3 > > Hoping this helps, > Willy >
