Hi, What kind of job ?
Thierry > On 19 Dec 2017, at 12:17, [email protected] wrote: > > Hi,Thierry > > got it. Thanks! > > By the way, may I ask the ssl termination is best solution for this kind of > job? > > > Many thanks > > Mike > > > > -------- 原始邮件 -------- > 主题:Re: Haproxy SSl Termination performance issue > 发件人:Thierry Fournier > 收件人:Mike G > 抄送:Haproxy > > > Hi, > > I gues that 130 is 130 SSL requests per seconds ? > > SSL is a very heavy processing. The 4096 bits certificates consume more > CPU that 2048 (thanks captain obvious). Your capacity processing is > capped by your CPU. You must check the CPU of your server during your > test. If the CPU consummation is 100%, you reach the limit of your server. > > If you reach the limit of one CPU (nbproc), you can use more CPU and/or more > servers. > > Thierry > > > > On 19 Dec 2017, at 08:36, Mike G wrote: > > > > Hi, everyone. > > > > I just got a problem about the haproxy ssl termination performance issues. > > we have a case which want to use SSL Termination. so, we did some testing > > before online, I know the virtual machine will not good choice, but it make > > feel so supriose the cur link can be more than 130 when I use 4096 key. > > here's my configuration about the haproxy: > > > > haproxy as SSL termination layer before web server. > > the haproxy version is 1.8.1 > > I compile it by myself: > > use the parameter: > > make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 > > > > also, I use download openssl 1.0.2n from openssl.org, and compile by those > > parameters: > > ./config -d zlib > > > > after install openssl and haproxy. > > here's my configuration about the haproxy: > > global > > log 127.0.0.1 local0 > > > > chroot /var/lib/haproxy > > pidfile /var/run/haproxy.pid > > maxconn 65535 > > group haproxy > > user haproxy > > daemon > > nbproc 1 > > > > stats socket /var/lib/haproxy/stats > > tune.ssl.default-dh-param 2048 > > > > defaults > > mode http > > log global > > option redispatch > > option abortonclose > > log 127.0.0.1 local0 > > retries 3 > > maxconn 65535 > > timeout connect 10s > > timeout client 1m > > timeout queue 1m > > timeout http-request 30s > > timeout server 1m > > timeout check 5s > > > > listen admin_stats > > bind 0.0.0.0:20123 > > maxconn 10 > > stats refresh 10s > > stats uri /web/status > > stats auth admin:1 > > stats hide-version > > > > > > frontend localhost > > bind *:80 > > bind *:443 ssl crt /etc/ssl/web-zhengshu.pem > > option httpclose > > mode http > > default_backend nodes > > > > backend nodes > > mode http > > balance roundrobin > > option forwardfor > > option httpchk GET /check.html > > server web01 127.0.0.1:8080 check > > http-request set-header X-Forwarded-Port %[dst_port] > > http-request add-header X-Forwarded-Proto https if { ssl_fc } > > > > > > note: about the option httpclose, I make it for purpose. > > > > also, I use vegeta for test. > > here's the testing command line: > > echo "GET https://10.77.77.215/check.html"; | ./vegeta.vegeta -cpus=8 attack > > -duration=90s -rate=800 -insecure | tee reports.bin | ./vegeta.vegeta report > > > > I found the cpu is get more than 90% usage very soon. but the haproxy > > status picture like in attachment. > > > > the max links is less than 130 around. > > > > but when I changed the ssl certication file back to 2048, it will be > > increase to around 800. > > > > is there anyone can help me about how to improve the haproxy ssl > > termination performance? > > > > > > Many thanks > > > > > > Mike > > > > > > > > > > > > > > > > > > > > > > > > > >
