Hi Joao. Am 15.02.2019 um 11:15 schrieb Joao Morais: > > >> Em 15 de fev de 2019, à(s) 07:44, Aleksandar Lazic <[email protected]> >> escreveu: >> >> Hi Joao. >> >> Am 15.02.2019 um 10:21 schrieb Joao Morais: >>> >>> Hi list, I'm tuning some HAProxy instances in front of a large kubernetes >>> cluster. The config has about 500 hostnames (a la apache/nginx virtual >>> hosts), 3 frontends, 1500 backends and 4000 servers. The first frontend is >>> on >>> tcp mode binding :443, inspecting sni and doing a triage; the second >>> frontend >>> is binding a unix socket with ca-file (tls authentication); the last >>> frontend >>> is binding another unix socket, doing ssl-offload but without ca-file. This >>> last one has about 80% of the hostnames. There is also a ssl-passthrough >>> config - from the triage frontend straight to a tcp backend. >> >> Please can you tell us which haproxy you use and show us the config, thanks. > > Hi Aleks, sure. Regarding the config, it has currently about 4k lines only in > the largest frontend because of the number of hostnames and paths being > supported. About 98% is acl declarations, http-request, reqrep, redirect > scheme, use_backend. Most of them I'll move to the backend and this will > already improve performance. The question is: what about the 2200+ > `use_backend` - is there anything else that could be done?
As I don't know the config, even a snippet could help, let me suggest you to try to use a map for lookup for the backends. https://www.haproxy.com/blog/introduction-to-haproxy-maps/ Do you use DNS resolving for the hostnames? > / # haproxy -vv > HA-Proxy version 1.8.17 2019/01/08 Event it's not critical, it would be nice when you can try 1.8.19 or better 1.9.4 ;-) Regards Aleks
