Hi Stefan Stefan Sticht wrote: > I also can test the webserver directly bypassing the haproxy completely > (apache2.4 on webserver has "KeepAlive Off” configured) > $ ab -v 1 -c 10 -n 1000 http://10.27.100.45/test/index.html | grep -e > Requests -e Complete -e Failed > Complete requests: 1000 > Failed requests: 0 > Requests per second: 7948.87 [#/sec] (mean)
Here, you are running ab over plain HTTP to your backend server. >> Without forceclose: >> >> $ ab -v 1 -k -c 10 -n 1000 https://w:8001/test/index.html | grep -e >> Requests -e Complete -e Failed >> Complete requests: 1000 >> Failed requests: 0 >> Requests per second: 1112.29 [#/sec] (mean) >> >> With foreclose: >> >> $ ab -v 1 -k -c 10 -n 1000 https://w:8003/test/index.html | grep -e >> Requests -e Complete -e Failed >> Complete requests: 1000 >> Failed requests: 0 >> Requests per second: 25.86 [#/sec] (mean) However, with these tests, you are running over TLS. This makes a huge difference in performance. Since the most expensive part of a TLS tunnel is to establish the connection (which involves slow asymmetric encryption), you are basically constrained here. Now, in the real world, most clients will try to re-use existing TLS sessions using wither server-stored TLS sessions or client-stored TLS tickets, both of which allows them to skip the most expensive part of a new connection. Apache bench does not re-use sessions. As such, what you are effectively benchmarking here is the ability of your server to handle new TLS handshakes. When disabling keep-alive, ab has to create a completely new TLS connection for each request while it reuses the existing connections with keep-alive enabled. This along can explain the performance differences you see there Now, even with a server without AES-NI support in the CPU, 25 handshakes per second and core is still pretty low. With a modern CPU, I would expect about 350 handshakes per second and core. In any case, you could increase performance by running with a larger nbproc for your SSL handling (e.g. as many as you have cores or even hyperthreads) and by using a CPU which has AES-NI support and is this able to perform many expensive operations for the asymmetric crypto in hardware. Getting rid of virtualization layers also helps tremendously. The biggest performance increase when using HTTPS in the real world however would probably to actually enable keep-alive at least between the client and haproxy. Regards, Holger
