Hi Joao. Am 15.02.2019 um 10:21 schrieb Joao Morais: > > Hi list, I'm tuning some HAProxy instances in front of a large kubernetes > cluster. The config has about 500 hostnames (a la apache/nginx virtual > hosts), 3 frontends, 1500 backends and 4000 servers. The first frontend is on > tcp mode binding :443, inspecting sni and doing a triage; the second frontend > is binding a unix socket with ca-file (tls authentication); the last frontend > is binding another unix socket, doing ssl-offload but without ca-file. This > last one has about 80% of the hostnames. There is also a ssl-passthrough > config - from the triage frontend straight to a tcp backend.
Please can you tell us which haproxy you use and show us the config, thanks. haproxy -vv Regars Aleks > I'm observing some latency on moderate loads (200+ rps per instance) - on my > tests, the p95 was about 25ms only in the proxy, and the major issue is that > I cannot have a throughput above 600 rps. This latency moves easily from 25ms > on p95 to 1s or more on p50 with 700+ rps. The problem is of course the big > amount of rules in the frontend: haproxy need to check every single bit of > configuration for every single host and every single path. Moving the testing > hostname to a dedicated frontend with only its own rules give me with about > 5ms of p95 latency and more than 5000 rps. > > These are my ideas so far regarding tune such configuration: > > * Move all possible rules to the backend. Some txn vars should be created in > order to be inspected there. This will of course help but there is still a > lot of `use_backend if <host-acl> <path-acl>` that cannot be removed, I > think, which are being evaluated on every single request despite the hostname > that I'm really interested. There are some hostnames without path acl, but > there are also hostnames with 10+ different paths and its 10+ `use_backend`. > > * Create some more frontends and unix sockets with at most 50 hostnames or > so. Pros: after the triage, each frontend will have the `use_backend if` of > only another 49 hostnames. Cons: if some client doesn't send the sni > extension, the right frontend couldn't be found. > > * Perhaps there is a hidden `if <acl> do <some keywords here> done` that I'm > missing which would improve performance, since I can help HAProxy to process > only the keywords I'm really interested in that request. > > * Nbthreads was already tested, I'm using 3 that has the best performance on > a 8 cores VM. 4+ threads doesn’t scale. Nbprocs will also be used, I'm tuning > a per process configuration now. > > Is there any other approach I'm missing? Every single milisecond will help. >
