Hi Willy, I ended up adding an actual backend to perform the test (reused my nginx instance I had already), so the connection between haproxy and nginx would be a matter of localhost traffic – and I was indeed able to reach about 18k req/s on a single core with keep-alive.
I can see that reply didn’t reach the mailing list however, since I failed to see that the mailing list doesn’t do an automatic “reply-to: [email protected]” so have to manually add it, so it’s all solved, and I’m happy with the results – on this specific server I was testing from, I did reach about 65k req/s on relatively cheap hardware, so even if I want to scale to 100k+ req/s it should be no problem from what I can see ( I know there will be a slightly bigger overhead when doing a lot of clients also because of networking involving more than a single client). So thanks a lot! Best Regards, Lucas Rolff On 27/12/2017, 19.01, "Willy Tarreau" <[email protected]> wrote: On Tue, Dec 26, 2017 at 10:28:57AM +0100, Jérôme Magnin wrote: > 748 looks like what a single core on a VM can achieve in terms of private key > computation with rsa 2048 certs. You can confirm this by running the following > command in your vm: > > openssl speed rsa2048. > > 21000 is too high to be key computation only. Indeed, clearly one is doing RSA only while the other one does resume. > > My haproxy config looks like this: https://gist.github.com/lucasRolff/36fc84ac44aad559c1d43ab6f30237c8 > > This configuration has no backend, so each request will be replied to with a 503 > response containing a connection: close header, which means each request will > lead to a key computation. Good catch, indeed the error (even if it's rewritten as a fake 200) will result in the connection being aborted and I guess then the SSL context is not kept in ab in this case. Lucas, a better solution is to use a redirect, such as : redirect location /foo This will not cost much and will perform a complete HTTP rules evaluation as well. Some of the numbers we've observed here on a single core/single threaded core i7-4790 : 1350 TLSv1.2 key computations/s (RSA2048) 14000 TLSv1.2 connection resumes/s 180000 req/s over TLSv1.2 (keep-alive) By using the redirect above instead of the errorfile, you should be able to test all these. Willy
