On 5/29/23 20:38, Willy Tarreau wrote:
Have you verified that the CPU is saturated ?
The CPU on the machine running the test settles at about 1800 percent
for my test program. 12 real cores, hyperthreaded.
The CPU on the frontend haproxy process is barely breathing hard. Never
saw it get
On Sat, May 27, 2023 at 02:56:39PM -0600, Shawn Heisey wrote:
> On 5/27/23 02:59, Willy Tarreau wrote:
> > The little difference makes me think you've sent your requests over
> > a keep-alive connection, which is fine, but which doesn't stress the
> > TLS stack anymore.
>
> Yup. It was using
On 5/29/23 01:43, Aleksandar Lazic wrote:
HAProxies FE => HAProxies BE => Destination Servers
Where the Destination Servers are also HAProxies which just returns a
static content or any high performance low latency HTTPS Server.
With such a Setup can you test also the Client mode of the
On 5/29/23 19:52, Shawn Heisey wrote:
Interesting idea.
So sorry. I was writing up the new reply, and my fingers got confused
for a moment, accidentally did Ctrl-Enter which tells Thunderbird to
send the message. Will send a new complete reply.
On 5/29/23 01:43, Aleksandar Lazic wrote:
HAProxies FE => HAProxies BE => Destination Servers
Where the Destination Servers are also HAProxies which just returns a
static content or any high performance low latency HTTPS Server.
With such a Setup can you test also the Client mode of the
Hi Shawn.
On 2023-05-28 (So.) 05:30, Shawn Heisey wrote:
On 5/27/23 18:03, Shawn Heisey wrote:
On 5/27/23 14:56, Shawn Heisey wrote:
Yup. It was using keepalive. I turned keepalive off and repeated
the tests.
I did the tests again with 200 threads. The system running the tests
has 12
On 5/27/23 18:03, Shawn Heisey wrote:
On 5/27/23 14:56, Shawn Heisey wrote:
Yup. It was using keepalive. I turned keepalive off and repeated the
tests.
I did the tests again with 200 threads. The system running the tests
has 12 hyperthreaded cores, so this definitely pushes its
On 5/27/23 14:56, Shawn Heisey wrote:
Yup. It was using keepalive. I turned keepalive off and repeated the
tests.
I did the tests again with 200 threads. The system running the tests
has 12 hyperthreaded cores, so this definitely pushes its capabilities.
The system running haproxy has 24
On 5/27/23 02:59, Willy Tarreau wrote:
The little difference makes me think you've sent your requests over
a keep-alive connection, which is fine, but which doesn't stress the
TLS stack anymore.
Yup. It was using keepalive. I turned keepalive off and repeated the
tests.
I'm still not
Hi Shawn,
On Fri, May 26, 2023 at 11:17:15PM -0600, Shawn Heisey wrote:
> On 5/25/23 09:08, Willy Tarreau wrote:
> > The problem definitely is concurrency, so 1000 curl will show nothing
> > and will not even match production traffic. You'll need to use a load
> > generator that allows you to
On 5/25/23 09:08, Willy Tarreau wrote:
The problem definitely is concurrency, so 1000 curl will show nothing
and will not even match production traffic. You'll need to use a load
generator that allows you to tweak the TLS resume support, like we do
with h1load's argument "--tls-reuse". Also I
чт, 25 мая 2023 г. в 17:11, Willy Tarreau :
> On Thu, May 25, 2023 at 07:33:11AM -0600, Shawn Heisey wrote:
> > On 3/11/23 22:52, Willy Tarreau wrote:
> > > According to the OpenSSL devs, 3.1 should be "4 times better than 3.0",
> > > so it could still remain 5-40 times worse than 1.1.1. I intend
On Thu, May 25, 2023 at 07:33:11AM -0600, Shawn Heisey wrote:
> On 3/11/23 22:52, Willy Tarreau wrote:
> > According to the OpenSSL devs, 3.1 should be "4 times better than 3.0",
> > so it could still remain 5-40 times worse than 1.1.1. I intend to run
> > some tests soon on it on a large machine,
On 3/11/23 22:52, Willy Tarreau wrote:
According to the OpenSSL devs, 3.1 should be "4 times better than 3.0",
so it could still remain 5-40 times worse than 1.1.1. I intend to run
some tests soon on it on a large machine, but preparing tests takes a
lot of time and my progress got delayed by
Hi Shawn,
On Sat, Mar 11, 2023 at 07:10:30PM -0700, Shawn Heisey wrote:
> On 12/14/22 07:15, Willy Tarreau wrote:
> > On Wed, Dec 14, 2022 at 07:01:59AM -0700, Shawn Heisey wrote:
> > > On 12/14/22 06:07, Willy Tarreau wrote:
> > > > By the way, are you running with OpenSSL
> > > > 3.0 ? That
On 12/14/22 07:15, Willy Tarreau wrote:
On Wed, Dec 14, 2022 at 07:01:59AM -0700, Shawn Heisey wrote:
On 12/14/22 06:07, Willy Tarreau wrote:
By the way, are you running with OpenSSL
3.0 ? That one is absolutely terrible and makes extreme abuse of
mutexes and locks, to the point that certain
On Fri, Dec 16, 2022 at 06:58:33AM -0700, Shawn Heisey wrote:
> On 12/16/22 01:59, Shawn Heisey wrote:
> > On 12/16/22 00:26, Willy Tarreau wrote:
> > > Both work for me using firefox (green flash after reload).
> >
> > It wasn't working when I tested it. I rebooted for a kernel upgrade and
> >
On 12/16/22 01:59, Shawn Heisey wrote:
On 12/16/22 00:26, Willy Tarreau wrote:
> Both work for me using firefox (green flash after reload).
It wasn't working when I tested it. I rebooted for a kernel upgrade and
it still wasn't working.
And then a while later I was poking around in my
On 12/16/22 00:26, Willy Tarreau wrote:
> Both work for me using firefox (green flash after reload).
It wasn't working when I tested it. I rebooted for a kernel upgrade and
it still wasn't working.
And then a while later I was poking around in my zabbix UI and saw the
green lightning bolt.
On 12/16/22 00:01, Willy Tarreau wrote:
- if you want to use QUIC, use quictls-1.1.1. Once you have to build
something yourself, you definitely don't want to waste your time on
the performance-crippled 3.0, and 1.1.1 will change less often than
3.0 so that also means less
On Thu, Dec 15, 2022 at 08:40:59PM -0700, Shawn Heisey wrote:
> On 12/15/22 09:47, Shawn Heisey wrote:
> > The version of curl with http3 support is not available in any of the
> > distro repos for my Ubuntu machines, so I found a docker image with it.
> > That works in cases where a browser won't
On Thu, Dec 15, 2022 at 09:47:36AM -0700, Shawn Heisey wrote:
> Just got a look at the patch. One line code fixes are awesome.
We all love them. Sometimes I even suspect we unconsciously create
such bugs to have the pleasure of contemplating these fixes :-)
Willy
On Fri, Dec 16, 2022 at 01:44:15AM -0500, John Lauro wrote:
> What exactly is needed to reproduce the poor performance issue with openssl
> 3? I was able to test 20k req/sec with it using k6 to simulate 16k users
> over a wan. The k6 box did have openssl1. Probably could have sustained
> more,
On Thu, Dec 15, 2022 at 11:39:16PM -0700, Shawn Heisey wrote:
> On 12/15/22 21:49, Willy Tarreau wrote:
> > There's currently a great momentum around WolfSSL that was already
> > adopted by Apache, Curl, and Ngtcp2 (which is the QUIC stack that
> > powers most HTTP/3-compatible agents). Its
What exactly is needed to reproduce the poor performance issue with openssl
3? I was able to test 20k req/sec with it using k6 to simulate 16k users
over a wan. The k6 box did have openssl1. Probably could have sustained
more, but that's all I need right now. Openssl v1 tested a little faster,
On Fri, Dec 16, 2022 at 07:29:23AM +0100, Vincent Bernat wrote:
> On 2022-12-16 05:49, Willy Tarreau wrote:
> > There's currently a great momentum around WolfSSL that was already
> > adopted by Apache, Curl, and Ngtcp2 (which is the QUIC stack that
> > powers most HTTP/3-compatible agents). Its
On 12/15/22 21:49, Willy Tarreau wrote:
There's currently a great momentum around WolfSSL that was already
adopted by Apache, Curl, and Ngtcp2 (which is the QUIC stack that
powers most HTTP/3-compatible agents). Its support on haproxy is
making fast progress thanks to the efforts on the two
On 2022-12-16 05:49, Willy Tarreau wrote:
There's currently a great momentum around WolfSSL that was already
adopted by Apache, Curl, and Ngtcp2 (which is the QUIC stack that
powers most HTTP/3-compatible agents). Its support on haproxy is
making fast progress thanks to the efforts on the two
On Thu, Dec 15, 2022 at 08:58:29PM -0700, Shawn Heisey wrote:
> I'm sure the performance issue has been brought to the attention of the
> OpenSSL project ... what did they have to say about the likelihood and
> timeline for providing a fix?
They're still working on it for 3.1. 3.1-alpha is "less
On 12/15/22 02:19, Willy Tarreau wrote:
I guess you'll get them only while the previous version remains maintained
(i.e. use a package from the previous LTS distro). But regardless you'll
also need to use executables linked with that version and that's where it
can become a pain.
When I
On 12/15/22 09:47, Shawn Heisey wrote:
The version of curl with http3 support is not available in any of the
distro repos for my Ubuntu machines, so I found a docker image with it.
That works in cases where a browser won't switch, but that's because it
never tries TCP, it goes straight to UDP.
On 12/15/22 00:58, Amaury Denoyelle wrote:
I seem to be able to reach your website with H3 currently. Did you
revert to an older version ? Regarding this commit, it rejects requests
with invalid headers (with uppercase or non-HTTP tokens in the field
name). Have you tried with several browsers
On Thu, Dec 15, 2022 at 09:20:01AM +0100, Amaury Denoyelle wrote:
> On Thu, Dec 15, 2022 at 09:03:18AM +0100, Amaury Denoyelle wrote:
> > On Thu, Dec 15, 2022 at 08:58:16AM +0100, Amaury Denoyelle wrote:
> > > On Wed, Dec 14, 2022 at 11:20:44PM -0700, Shawn Heisey wrote:
> > > > On 12/14/22 21:23,
On Thu, Dec 15, 2022 at 08:56:13AM +0100, Vincent Bernat wrote:
> On 2022-12-14 15:15, Willy Tarreau wrote:
> > Possibly, yes. It's more efficient in every way from what we can see.
> > For users who build themselves (and with QUIC right now you don't have
> > a better choice), it should not
On Thu, Dec 15, 2022 at 09:03:18AM +0100, Amaury Denoyelle wrote:
> On Thu, Dec 15, 2022 at 08:58:16AM +0100, Amaury Denoyelle wrote:
> > On Wed, Dec 14, 2022 at 11:20:44PM -0700, Shawn Heisey wrote:
> > > On 12/14/22 21:23, Илья Шипицин wrote:
> > > > Can you try to bisect?
> > > I had made some
On Thu, Dec 15, 2022 at 08:58:16AM +0100, Amaury Denoyelle wrote:
> On Wed, Dec 14, 2022 at 11:20:44PM -0700, Shawn Heisey wrote:
> > On 12/14/22 21:23, Илья Шипицин wrote:
> > > Can you try to bisect?
> > I had made some incorrect assumptions about what's needed to use
> > bisect. With a little
On Wed, Dec 14, 2022 at 11:20:44PM -0700, Shawn Heisey wrote:
> On 12/14/22 21:23, Илья Шипицин wrote:
> > Can you try to bisect?
> I had made some incorrect assumptions about what's needed to use
> bisect. With a little bit of research I figured it out and it was a
> LOT easier than I had
On 2022-12-14 15:15, Willy Tarreau wrote:
Possibly, yes. It's more efficient in every way from what we can see.
For users who build themselves (and with QUIC right now you don't have
a better choice), it should not change anything and will keep robustness.
For those relying on the distro's
On 12/14/22 21:23, Илья Шипицин wrote:
Can you try to bisect?
I had made some incorrect assumptions about what's needed to use bisect.
With a little bit of research I figured it out and it was a LOT easier
than I had imagined.
I suspect that it won't help, browsers tend to remember things
On Thu, Dec 15, 2022 at 10:23:59AM +0600, ??? wrote:
> Can you try to bisect?
>
> I suspect that it won't help, browsers tend to remember things in their own
> way
That's often the problem we've been facing as well during tests. When a
browser decides that your QUIC implementation
Can you try to bisect?
I suspect that it won't help, browsers tend to remember things in their own
way
On Thu, Dec 15, 2022, 9:09 AM Shawn Heisey wrote:
> On 12/14/22 19:33, Shawn Heisey wrote:
> > With quictls 3.0.7 it was working. I will try rebuilding and see
> > whether it still does.
On 12/14/22 19:33, Shawn Heisey wrote:
With quictls 3.0.7 it was working. I will try rebuilding and see
whether it still does. There was probably an update to haproxy as well
as changing quictls -- my build script pulls the latest from the 2.7 git
repo.
Rebuilding with quictls 3.0.7 didn't
On 12/14/22 07:15, Willy Tarreau wrote:
Should I switch to quictls 1.1.1 instead?
Possibly, yes
I did this, and now browsers do not switch to http3. A direct request
that forces http3 works, but browsers are not switching to it based on
the alt-svc header. Tried both firefox and chrome
On 12/14/22 12:06, Shawn Heisey wrote:
I built a gitlab CI config to test out changes to my build/install
scripts. I'm having some trouble with that where haproxy is not working
right, I'll start a new thread.
Turned out that most of those problems were due to docker-related
issues. And
On 12/14/22 07:15, Willy Tarreau wrote:
Should I switch to quictls 1.1.1 instead?
Possibly, yes. It's more efficient in every way from what we can see.
For users who build themselves (and with QUIC right now you don't have
a better choice), it should not change anything and will keep
On Wed, Dec 14, 2022 at 07:01:59AM -0700, Shawn Heisey wrote:
> On 12/14/22 06:07, Willy Tarreau wrote:
> > By the way, are you running with OpenSSL
> > 3.0 ? That one is absolutely terrible and makes extreme abuse of
> > mutexes and locks, to the point that certain workloads were divided
> > by
On 12/14/22 06:07, Willy Tarreau wrote:
> By the way, are you running with OpenSSL
> 3.0 ? That one is absolutely terrible and makes extreme abuse of
> mutexes and locks, to the point that certain workloads were divided
> by 2-digit numbers between 1.1.1 and 3.0. It took me one day to
> figure
47 matches
Mail list logo
