Hi Mike, I do not have examples.
The guidelines for 8 cpu (considering that your server is dedicated to haproxy). 7 cpu dedicated to the SSL and 1 cpu for the HTTP. Create 1 section “listen” binded on 7 CPU. Theses sections are only TCP (doesn’t process HTTP) and decrypt the SSL traffic. These sections forward the decrypted trafic to a local proxy which process http. I hope this quick explanation will help you. Another way for gaining CPU is asking about the right usage of 4096 bit keys. There are very useful ? 2048 bit keys are not sufficient ? Thierry > On 19 Dec 2017, at 16:14, [email protected] wrote: > > Hi, Thierry. > > Thanks again. > > One more question about you talking about, can i just think like this way: > assume we got a 8core cpu, we use 7 of them for ssl termination and one is > for http forward? If it is, is there any document for this soulution? > > Thanks a lot > > Mike > > > > -------- 原始邮件 -------- > 主题:Re: Haproxy SSl Termination performance issue > 发件人:Thierry Fournier > 收件人:Mike G > 抄送:Haproxy > > > Ok, you’re using HAProxy as SSL offloading. HAProxy is one of the > right solutions for doing this. You’re performance problem is not > due to HAProxy, each component using OpenSSL will reach the same > limits. > > Classic setup is to configure many process for the SSL offloading > (proxy in TCP mode), and only one for the HTTP. This setup works > fine because it allow many CPU for the SSL which require computing, > and the HTTP processing is done by only one process which can > perform accounting and apply limits (rate limit, connexion limit, > ...). > > Thierry > > > > On 19 Dec 2017, at 12:44, Mike G wrote: > > > > > > > > Hi, Thierry. > > > > our case is like this: we put a haproxy as ssl termination. and haproxy got > > the https requirement. and then go throught SSL ternimation. and then > > forward > > the request to web (by HTTP), also, get the Http request and encrypt it, > > and return HTTPS to client. > > > > > > thanks > > > > Mike > > > > > > > > > > > > At 2017-12-19 19:25:09, "Thierry Fournier" wrote: > > >Hi, > > > > > >What kind of job ? > > > > > >Thierry > > > > > >> On 19 Dec 2017, at 12:17, [email protected] wrote: > > >> > > >> Hi,Thierry > > >> > > >> got it. Thanks! > > >> > > >> By the way, may I ask the ssl termination is best solution for this kind > > >> of job? > > >> > > >> > > >> Many thanks > > >> > > >> Mike > > >> > > >> > > >> > > >> -------- 原始邮件 -------- > > >> 主题:Re: Haproxy SSl Termination performance issue > > >> 发件人:Thierry Fournier > > >> 收件人:Mike G > > >> 抄送:Haproxy > > >> > > >> > > >> Hi, > > >> > > >> I gues that 130 is 130 SSL requests per seconds ? > > >> > > >> SSL is a very heavy processing. The 4096 bits certificates consume more > > >> CPU that 2048 (thanks captain obvious). Your capacity processing is > > >> capped by your CPU. You must check the CPU of your server during your > > >> test. If the CPU consummation is 100%, you reach the limit of your > > >> server. > > >> > > >> If you reach the limit of one CPU (nbproc), you can use more CPU and/or > > >> more > > >> servers. > > >> > > >> Thierry > > >> > > >> > > >> > On 19 Dec 2017, at 08:36, Mike G wrote: > > >> > > > >> > Hi, everyone. > > >> > > > >> > I just got a problem about the haproxy ssl termination performance > > >> > issues. > > >> > we have a case which want to use SSL Termination. so, we did some > > >> > testing before online, I know the virtual machine will not good > > >> > choice, but it make feel so supriose the cur link can be more than 130 > > >> > when I use 4096 key. > > >> > here's my configuration about the haproxy: > > >> > > > >> > haproxy as SSL termination layer before web server. > > >> > the haproxy version is 1.8.1 > > >> > I compile it by myself: > > >> > use the parameter: > > >> > make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 > > >> > > > >> > also, I use download openssl 1.0.2n from openssl.org, and compile by > > >> > those parameters: > > >> > ./config -d zlib > > >> > > > >> > after install openssl and haproxy. > > >> > here's my configuration about the haproxy: > > >> > global > > >> > log 127.0.0.1 local0 > > >> > > > >> > chroot /var/lib/haproxy > > >> > pidfile /var/run/haproxy.pid > > >> > maxconn 65535 > > >> > group haproxy > > >> > user haproxy > > >> > daemon > > >> > nbproc 1 > > >> > > > >> > stats socket /var/lib/haproxy/stats > > >> > tune.ssl.default-dh-param 2048 > > >> > > > >> > defaults > > >> > mode http > > >> > log global > > >> > option redispatch > > >> > option abortonclose > > >> > log 127.0.0.1 local0 > > >> > retries 3 > > >> > maxconn 65535 > > >> > timeout connect 10s > > >> > timeout client 1m > > >> > timeout queue 1m > > >> > timeout http-request 30s > > >> > timeout server 1m > > >> > timeout check 5s > > >> > > > >> > listen admin_stats > > >> > bind 0.0.0.0:20123 > > >> > maxconn 10 > > >> > stats refresh 10s > > >> > stats uri /web/status > > >> > stats auth admin:1 > > >> > stats hide-version > > >> > > > >> > > > >> > frontend localhost > > >> > bind *:80 > > >> > bind *:443 ssl crt /etc/ssl/web-zhengshu.pem > > >> > option httpclose > > >> > mode http > > >> > default_backend nodes > > >> > > > >> > backend nodes > > >> > mode http > > >> > balance roundrobin > > >> > option forwardfor > > >> > option httpchk GET /check.html > > >> > server web01 127.0.0.1:8080 check > > >> > http-request set-header X-Forwarded-Port %[dst_port] > > >> > http-request add-header X-Forwarded-Proto https if { ssl_fc } > > >> > > > >> > > > >> > note: about the option httpclose, I make it for purpose. > > >> > > > >> > also, I use vegeta for test. > > >> > here's the testing command line: > > >> > echo "GET https://10.77.77.215/check.html"; | ./vegeta.vegeta -cpus=8 > > >> > attack -duration=90s -rate=800 -insecure | tee reports.bin | > > >> > ./vegeta.vegeta report > > >> > > > >> > I found the cpu is get more than 90% usage very soon. but the haproxy > > >> > status picture like in attachment. > > >> > > > >> > the max links is less than 130 around. > > >> > > > >> > but when I changed the ssl certication file back to 2048, it will be > > >> > increase to around 800. > > >> > > > >> > is there anyone can help me about how to improve the haproxy ssl > > >> > termination performance? > > >> > > > >> > > > >> > Many thanks > > >> > > > >> > > > >> > Mike > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > > > > > > >
