RE: General SSL vs. non-SSL Performance

>> Hm, I haven't tried Apache yet but would that be a huge benefit compared >> to a setup using nbproc> 1? > > I haven't tried it either, but yes, I would assume so. To be more specific: the number of TLS handshakes would probably be similar, especially in a nbproc>1 configuration, but when you

Re: [PATCH] MINOR: DeviceAtlas slight update

On Wed, Mar 16, 2016 at 10:21:26AM +, David Carlier wrote: > Here a little update of the DeviceAtlas module which use the new wider 64 > bytes ARG# macros introduced recently, plus documentations related changes. Applied, thanks David! Willy

Re: General SSL vs. non-SSL Performance

On 18.03.2016 11:46, Willy Tarreau wrote: > Hi Christian, > > On Fri, Mar 18, 2016 at 11:31:57AM +0100, Christian Ruppert wrote: >> I also just stumbled over this: >> https://software.intel.com/en-us/articles/accelerating-ssl-load-balancers-with-intel-xeon-v3-processors >> Might be interesting

RE: General SSL vs. non-SSL Performance

> The "option httpclose" was on purpose. Also the client could (during a > attack) simply do the same and achieve the same result. I don't think > that will help in such cases. So what you are actually and purposely benchmarking are SSL/TLS handshakes, because thats the bottleneck you are trying

Valve factory-CE/ISO-Butterfly Valve,Gate Valve

Dear Manager,Greetings from Lucy, I am from Tianjin World Machinery Manufacture. We are a valve manufacturer, our factory is specializing in manufacture and export of Butterfly Valve  Gate Valve Check Valve   Y-Strainer Rubber Expansion 

Re: Help! HAProxy randomly failing health checks!

On Thu, Mar 17, 2016 at 10:47 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > > > On Thu, Mar 17, 2016 at 5:29 AM, Zachary Punches > wrote: > >> I’m not, these guys aren’t sitting behind an ELB. They sit behind route53 >> routing. If one of the proxy boxes fails

Re: General SSL vs. non-SSL Performance

Hello Pavlos, On 3/17/2016 4:45 PM, Pavlos Parissis wrote: > I am working(not very actively) on a solution which utilizes this. > It will use www.vaultproject.io as central store, a generating engine > and a pull/push mechanism in place. > > But, the current version of HAProxy doesn't support

RE: General SSL vs. non-SSL Performance

> Some customers may require 4096 bit keys as it seems to be much more > decent than 2048 nowadays. I've not come across any recommendations pointing in that direction, in fact 2048-bit RSA are supposed to be safe for commercial use until 2030. I don't think this is a real requirement from

IDEA: initial-state up/down option for servers

Hi, We use haproxy in an auto-scaling environment. On an auto-scaling event, the haproxy configuration is rewritten to list all existing servers for each proxied service. A graceful reload is then performed. The issue is that by default haproxy assumes a server is UP (going down) until the

Re: General SSL vs. non-SSL Performance

Hi Christian, On Wed, Mar 16, 2016 at 05:25:53PM +0100, Christian Ruppert wrote: > Hi Lukas, > > On 2016-03-16 16:53, Lukas Tribus wrote: > >>The "option httpclose" was on purpose. Also the client could (during a > >>attack) simply do the same and achieve the same result. I don't think > >>that

Re: IDEA: initial-state up/down option for servers

On 18 Mar 2016, at 03:03, Igor Cicimov > wrote: On Fri, Mar 18, 2016 at 10:38 AM, Chris Warren > wrote: Hi, We use haproxy in an auto-scaling environment. On an auto-scaling event,

Re: Help! HAProxy randomly failing health checks!

On Thu, Mar 17, 2016 at 10:55 AM, Zachary Punches wrote: > Thanks for the reply! > > Ok so based on what you saw in my config, does it look like we’re > misconfigured enough to cause this to happen? > > If we were misconfigured, one would assume we would go down all the

Re: Help! HAProxy randomly failing health checks!

I went ahead and added the performance tuning you recommended (changing the maxconn to 1024). Hopefully this adds some stability As for the port, we’re using 1027 for our SSL traffic vs 443. We are currently getting SSL traffic that isn’t always failing on handshake. As for what is in front of

Re: General SSL vs. non-SSL Performance

Hi Cyril, On 2016-03-16 16:14, Cyril Bonté wrote: Hi all, replying really quickly from a webmail, sorry for the lack of details [...] I also ran 2 parallel "ab" on two separate machines against a third one. The requests per second were around ~70 r/s per host instead of ~140. So I doubt it's

Mother board CB0M06-AM3352

Title: enews-201603 This message contains graphics. If you do not see the graphics, click here to view. For more details information about RISC 3352, Please visit our website: www.ewinsonic.com

Re: General SSL vs. non-SSL Performance

Hi Willy, On 2016-03-17 06:05, Willy Tarreau wrote: Hi Christian, On Wed, Mar 16, 2016 at 05:25:53PM +0100, Christian Ruppert wrote: Hi Lukas, On 2016-03-16 16:53, Lukas Tribus wrote: >>The "option httpclose" was on purpose. Also the client could (during a >>attack) simply do the same and

HAProxy keepalives and max-keep-alive-queue

So at long last, I'm getting to use keep-alives with HAProxy! I'm terminating http/ssl/spdy with Nginx and then passing the connections to HAProxy via an upstream pool. I've verified by packet capture that connection reuse between clients, Nginx, and HAProxy is occurring. So I'd like to keep the

[SPAM] Translation services - 翻译服务提供

 Dear Friend,Etrans (www.etctrans.com) is a China/Hong Kong based company. We have been providing translation, localization and other services since 2004. Our highly qualified and experienced freelance translators with their translation experience ranges from

Re: IDEA: initial-state up/down option for servers

On Fri, Mar 18, 2016 at 10:38 AM, Chris Warren wrote: > Hi, > > We use haproxy in an auto-scaling environment. On an auto-scaling event, > the haproxy configuration is rewritten to list all existing servers for > each proxied service. A graceful reload is then performed. > >

3D Visualization & Animation

Dear Sir/Ms, Hope you everything is great. This is Zoe from Guangzhou SA Digital Technology. We work on 3D rendering ,3D animation for architectural projects with more than ten years experience. Kindly attached our website and Behance for your reference. Are there any projects you are working

Re: [PATCH v2] BUG/MINOR: log: Don't use strftime() which can clobber timezone if chrooted

On Tue, Mar 15, 2016 at 11:06:55PM +0100, Benoît GARNIER wrote: > From: Benoit GARNIER > Date: Sun, 27 Mar 2016 03:04:16 +0200 > Subject: [PATCH] BUG/MINOR: log: Don't use strftime() which can clobber > timezone if chrooted > > The strftime() function can call

Re: General SSL vs. non-SSL Performance

Hello, On 3/16/2016 6:25 PM, Christian Ruppert wrote: > > Some customers may require 4096 bit keys as it seems to be much more > decent than 2048 nowadays. So you may be limited here. A test with a > 2048 bit Cert gives me around ~770 requests per second, a test with an > 256 bit ECC cert around

http-request capture id frontend/backend not working?

Hi! I am trying to capture an HTTP Request Header that gets added under certain circumstances in the backend. From the documentation I understand I can use a capture slot for that. This is what I tried in my stripped down config file: ... frontend fe_http bind 192.168.1.3:80 declare

RE:Yindu hydraulic tools

Dear Purchase Manager Nice to me you,i am Ali Wang from Yindu Tools. If you are going to purchase new order of hydraulic tools,hydraulic pumps, Hydraulic cylinders,Busbar processor machines,etc for your new year market.    please reply me.

Re: A HAProxy statistics collection program

On Thu, Mar 17, 2016 at 4:23 PM, Pavlos Parissis wrote: > Hi all, > > I would like to announce a statistics collector program for HAProxy. > > Key features: > - Support of multiprocess mode of HAProxy (nbproc > 1) > - Ability to pull statistics at very low intervals

Re: General SSL vs. non-SSL Performance

Hi. Am 17-03-2016 11:51, schrieb Gary Barrueto: Hi. On Mar 16, 2016 10:06 PM, "Willy Tarreau" < Here I don't know. TLS handshakes are one large part of what made me think that we must go multi-threaded instead of multi-process over the long term, just because I want to be able to pin

Re: General SSL vs. non-SSL Performance

Hi Aleks, On 2016-03-16 15:57, Aleksandar Lazic wrote: Hi. Am 16-03-2016 15:17, schrieb Christian Ruppert: Hi, this is rather HAProxy unrelated so more a general problem but anyway.. I did some tests with SSL vs. non-SSL performance and I wanted to share my results with you guys but also

Re: General SSL vs. non-SSL Performance

On 2016-03-18 11:31, Christian Ruppert wrote: Hi Willy, On 2016-03-17 06:05, Willy Tarreau wrote: Hi Christian, On Wed, Mar 16, 2016 at 05:25:53PM +0100, Christian Ruppert wrote: Hi Lukas, On 2016-03-16 16:53, Lukas Tribus wrote: >>The "option httpclose" was on purpose. Also the client

CE278A 3.84USD / hot model toner cartridges bring you many customers

Dear manager,How are you doing?We are toner cartridges manufacturer in Zhuhai with 11 years experiences and capacity of 500.000 PCS per month. We use top grade raw materials like Tomoegawa toner powder,Mitsubish OPC etc. In addition,we carry out 4 times quality control in incoming material,online

Re: http-request capture id frontend/backend not working?

Trying to understand this better, I came across commit 3e7d15e744d5f0137dd266efba1f317895a31273 Author: Baptiste Assmann Date: Tue Nov 3 23:31:35 2015 +0100 BUG/MINOR: http rule: http capture 'id' rule points to a non existing id It is possible to create a http

Re: General SSL vs. non-SSL Performance

Hi Nenad Am 17-03-2016 19:27, schrieb Nenad Merdanovic: Hello Aleksandar On 3/17/2016 6:00 PM, Aleksandar Lazic wrote: Okay I'm now lost 8-O please can anyone help me to understand how the flow works. 1st Request client -> ssl handshake -> haproxy server 1 (tls ticket?!) 2nd Request Same

Re: General SSL vs. non-SSL Performance

Hi all, replying really quickly from a webmail, sorry for the lack of details > [...] > I also ran 2 parallel "ab" on two separate machines against a third > one. > The requests per second were around ~70 r/s per host instead of ~140. > So > I doubt it's a entropy problem. The issue is in your

HAProxy Configuration Best Practices

Hello, I am in the middle of a project where I have to setup a couple of load balancers to allow load balancing traffic to some web app servers and to provide an easy way to swap out some other resources. I have spent a lot of time researching options and I settled on HAProxy with Keepalived

Re: Help! HAProxy randomly failing health checks!

On Fri, Mar 18, 2016 at 5:39 AM, Zachary Punches wrote: > Here is a quick grab of our log with the SSL errors. This just happened, > if you check the timestamps before and the SSL handshake you can see the > hang > > Mar 17 18:37:16 localhost haproxy[28703]:

The simplest way to reach specific backend

Hi all, We have implement a very simple haproxy 1 web site on 2 apps server. Question: How do you do this, my objective is to have the simplest solution four our QA users. Need: Our QA team what to reach app1 and app2 to validate each application server. I know we can do a simple haproxy

SOCK-RAW

This e-mail I got from your website: http://sock-raw.org You write that you are engaged in network security. I'm looking for products to protect computer networks LANthat I could sell in Poland (European Union). I work in marketing and computer science for 17 years in the capital,

Re: General SSL vs. non-SSL Performance

On 17/03/2016 12:26 μμ, Nenad Merdanovic wrote: > Hello Gary, > > On 3/17/2016 11:51 AM, Gary Barrueto wrote: >> >> While that would help a single server, how about when dealing with multi >> servers + anycast: Has there been any thoughts about sharing ssl/tls >> session cache between servers?

Re: General SSL vs. non-SSL Performance

Hi. On Mar 16, 2016 10:06 PM, "Willy Tarreau" < > > Here I don't know. TLS handshakes are one large part of what made me think > that we must go multi-threaded instead of multi-process over the long term, > just because I want to be able to pin some tasks to some CPUs. Ie when TLS > says

Re: Help! HAProxy randomly failing health checks!

On Thu, Mar 17, 2016 at 12:46 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > > > On Thu, Mar 17, 2016 at 11:14 AM, Zachary Punches > wrote: > >> I wanna say average is like 4-6 connections a second? Super minimal >> >> From what I’ve seen in the logs during the

Re: Help! HAProxy randomly failing health checks!

On Fri, Mar 18, 2016 at 1:38 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > > > On Fri, Mar 18, 2016 at 12:04 PM, Zachary Punches > wrote: > >> Yeah port 1027 is used for health checks over SSL. >> >> This HAP forwards requests off to our databases. The

Re: Help! HAProxy randomly failing health checks!

Yeah port 1027 is used for health checks over SSL. This HAP forwards requests off to our databases. The databases have a string in a table that indicates that the HAP instance can move all the way through the entire process before it lights as green. Our health checks in route 53 are setup to

Re: General SSL vs. non-SSL Performance

2016-03-17 20:48 GMT+01:00 Aleksandar Lazic : > Hm I'm not sure if understand this right. > I will try to repeat just to check if I have understand it righ. > > http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-tls-ticket-keys > > # > frontend ssl > bind

A HAProxy statistics collection program

Hi all, I would like to announce a statistics collector program for HAProxy. Key features: - Support of multiprocess mode of HAProxy (nbproc > 1) - Ability to pull statistics at very low intervals even when there are thousands for servers/backends. It has been already used in production

Re: Help! HAProxy randomly failing health checks!

I’m not, these guys aren’t sitting behind an ELB. They sit behind route53 routing. If one of the proxy boxes fails 3 checks in 30 seconds (with 4 checks done a second) then Route53 changes its routing from the first proxy box to the second On 3/15/16, 9:46 PM, "Baptiste"

Re: General SSL vs. non-SSL Performance

On 2016-03-17 00:14, Nenad Merdanovic wrote: Hello, On 3/16/2016 6:25 PM, Christian Ruppert wrote: Some customers may require 4096 bit keys as it seems to be much more decent than 2048 nowadays. So you may be limited here. A test with a 2048 bit Cert gives me around ~770 requests per second,

HAProxy -st not killing old processes

Hi, We are using -p option to save the pid of HAProxy. When a new HAProxy is received, we use -st pid option to reload HAProxy. The issue we are having is that -st option sometimes does not kill the old process. An example would be: root 372 1 0 03:22 ?00:00:00 haproxy -p

Re: Help! HAProxy randomly failing health checks!

On Fri, Mar 18, 2016 at 12:04 PM, Zachary Punches wrote: > Yeah port 1027 is used for health checks over SSL. > > This HAP forwards requests off to our databases. The databases have a > string in a table that indicates that the HAP instance can move all the way > through

Re: case @req.hdr puzzlement

Indeed - I hardcode the frontend_name in the .cfg (instead of using %f), and it works. Thanks much! On Fri, Mar 18, 2016 at 3:30 PM, Cyril Bonté wrote: > Hi Jim, > > Le 18/03/2016 21:52, Jim Freeman a écrit : >> >> I'm trying to add a header only if the last occurrence of

RE: General SSL vs. non-SSL Performance

On 2016-03-16 17:56, Lukas Tribus wrote: Some customers may require 4096 bit keys as it seems to be much more decent than 2048 nowadays. I've not come across any recommendations pointing in that direction, in fact 2048-bit RSA are supposed to be safe for commercial use until 2030. I don't

Re: Help! HAProxy randomly failing health checks!

I wanna say average is like 4-6 connections a second? Super minimal From what I’ve seen in the logs during the SSL errors, the log hangs then outputs a bunch of SSL errors all at once. Here it the output from sysctl –p net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1

Re: General SSL vs. non-SSL Performance

Hello Aleksandar On 3/17/2016 6:00 PM, Aleksandar Lazic wrote: > Okay I'm now lost 8-O > > please can anyone help me to understand how the flow works. > > 1st Request > client -> ssl handshake -> haproxy server 1 (tls ticket?!) > > 2nd Request > Same client -> ssl handshake -> haproxy server 2

Re: General SSL vs. non-SSL Performance

On Fri, Mar 18, 2016 at 03:04:43PM +0100, Dennis Jacobfeuerborn wrote: > > You don't need, just use the proxy protocol : > > > >listen secure > > bind :443 ssl crt foo.pem process 2-32 > > mode tcp > > server clear 127.0.0.1:81 send-proxy-v2 > > > >frontend clear > >

Query

Hi there! Do you have any best practices manual for haproxy? Thanks in advance, -- *Francesc Tost Mons*

General SSL vs. non-SSL Performance

Hi, this is rather HAProxy unrelated so more a general problem but anyway.. I did some tests with SSL vs. non-SSL performance and I wanted to share my results with you guys but also trying to solve the actual problem So here is what I did: haproxy.cfg: global user haproxy