Hi,
I gues that 130 is 130 SSL requests per seconds ?
SSL is a very heavy processing. The 4096 bits certificates consume more
CPU that 2048 (thanks captain obvious). Your capacity processing is
capped by your CPU. You must check the CPU of your server during your
test. If the CPU consummation is 100%, you reach the limit of your server.
If you reach the limit of one CPU (nbproc), you can use more CPU and/or more
servers.
Thierry
> On 19 Dec 2017, at 08:36, Mike G <hongw...@163.com> wrote:
>
> Hi, everyone.
>
> I just got a problem about the haproxy ssl termination performance issues.
> we have a case which want to use SSL Termination. so, we did some testing
> before online, I know the virtual machine will not good choice, but it make
> feel so supriose the cur link can be more than 130 when I use 4096 key.
> here's my configuration about the haproxy:
>
> haproxy as SSL termination layer before web server.
> the haproxy version is 1.8.1
> I compile it by myself:
> use the parameter:
> make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
>
> also, I use download openssl 1.0.2n from openssl.org, and compile by those
> parameters:
> ./config -d zlib
>
> after install openssl and haproxy.
> here's my configuration about the haproxy:
> global
> log 127.0.0.1 local0
>
> chroot /var/lib/haproxy
> pidfile /var/run/haproxy.pid
> maxconn 65535
> group haproxy
> user haproxy
> daemon
> nbproc 1
>
> stats socket /var/lib/haproxy/stats
> tune.ssl.default-dh-param 2048
>
> defaults
> mode http
> log global
> option redispatch
> option abortonclose
> log 127.0.0.1 local0
> retries 3
> maxconn 65535
> timeout connect 10s
> timeout client 1m
> timeout queue 1m
> timeout http-request 30s
> timeout server 1m
> timeout check 5s
>
> listen admin_stats
> bind 0.0.0.0:20123
> maxconn 10
> stats refresh 10s
> stats uri /web/status
> stats auth admin:1
> stats hide-version
>
>
> frontend localhost
> bind *:80
> bind *:443 ssl crt /etc/ssl/web-zhengshu.pem
> option httpclose
> mode http
> default_backend nodes
>
> backend nodes
> mode http
> balance roundrobin
> option forwardfor
> option httpchk GET /check.html
> server web01 127.0.0.1:8080 check
> http-request set-header X-Forwarded-Port %[dst_port]
> http-request add-header X-Forwarded-Proto https if { ssl_fc }
>
>
> note: about the option httpclose, I make it for purpose.
>
> also, I use vegeta for test.
> here's the testing command line:
> echo "GET https://10.77.77.215/check.html"; | ./vegeta.vegeta -cpus=8 attack
> -duration=90s -rate=800 -insecure | tee reports.bin | ./vegeta.vegeta report
>
> I found the cpu is get more than 90% usage very soon. but the haproxy status
> picture like in attachment.
>
> the max links is less than 130 around.
>
> but when I changed the ssl certication file back to 2048, it will be increase
> to around 800.
>
> is there anyone can help me about how to improve the haproxy ssl termination
> performance?
>
>
> Many thanks
>
>
> Mike
>
>
>
>
>
>
>
>
>
>
>
>
> <monitor.png>
