Re: General SSL vs. non-SSL Performance

2016-03-18 Thread Pavlos Parissis
On 17/03/2016 04:49 μμ, Nenad Merdanovic wrote: > Hello Pavlos, > > On 3/17/2016 4:45 PM, Pavlos Parissis wrote: >> I am working(not very actively) on a solution which utilizes this. >> It will use www.vaultproject.io as central store, a generating engine >> and a pull/push mechanism in place.

Re: HAProxy Configuration Best Practices

2016-03-18 Thread Jeff Palmer
Also, I would consider setting maxconn appropriately to be critical. You want it high enough to handle your peaks/spikes, but not so high as to consume all resources available on the machine. On Thu, Mar 17, 2016 at 9:49 AM, Baptiste wrote: > > > On Thu, Mar 17, 2016 at

Re: Help! HAProxy randomly failing health checks!

2016-03-18 Thread Zachary Punches
Thanks for the reply! Ok so based on what you saw in my config, does it look like we’re misconfigured enough to cause this to happen? If we were misconfigured, one would assume we would go down all the time yeah? From: Igor Cicimov

Re: Help! HAProxy randomly failing health checks!

2016-03-18 Thread Igor Cicimov
On Thu, Mar 17, 2016 at 11:14 AM, Zachary Punches wrote: > I wanna say average is like 4-6 connections a second? Super minimal > > From what I’ve seen in the logs during the SSL errors, the log hangs then > outputs a bunch of SSL errors all at once. > > Here it the output

SSL and SNI keeping it all in HAProxy

2016-03-18 Thread shouldbe q931
I'm trying to get my head around how to get multiple HTTPS sites on one public IP with HAProxy After reading http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ I've got a rough idea of how to do the SNI ACLs To keep all of the HTTPS

Re: Help! HAProxy randomly failing health checks!

2016-03-18 Thread Igor Cicimov
On Thu, Mar 17, 2016 at 5:29 AM, Zachary Punches wrote: > I’m not, these guys aren’t sitting behind an ELB. They sit behind route53 > routing. If one of the proxy boxes fails 3 checks in 30 seconds (with 4 > checks done a second) then Route53 changes its routing from the

Re: General SSL vs. non-SSL Performance

2016-03-18 Thread Nenad Merdanovic
Hello Gary, On 3/17/2016 11:51 AM, Gary Barrueto wrote: > > While that would help a single server, how about when dealing with multi > servers + anycast: Has there been any thoughts about sharing ssl/tls > session cache between servers? Like how apache can use memcache to store > its cache or

Re: HAProxy Configuration Best Practices

2016-03-18 Thread Baptiste
On Thu, Mar 17, 2016 at 1:17 PM, Gregg Cranshaw wrote: > Hello, > > I am in the middle of a project where I have to setup a couple of load > balancers to allow load balancing traffic to some web app servers and to > provide an easy way to swap out some other resources. I

RE: HAProxy -st not killing old processes

2016-03-18 Thread Lukas Tribus
Hi Bowen, > Hi, > > We are using -p option to save the pid of HAProxy. When a new HAProxy > is received, we use -st pid option to reload HAProxy. > The issue we are having is that -st option sometimes does not kill the > old process.  Please upgrade to 1.5.16 or 1.6.4, there have been

Re: Help! HAProxy randomly failing health checks!

2016-03-18 Thread Zachary Punches
Ok! Here is a bunch of info that might better assist with the issue: Each of our clients has an HAProxy install that forwards requests for 80 and 443 to 1025 and 1026 respectively. These requests are forwarded over TCP using proxy protocol to our HAP instances. Our HAP instances then SSL term

case @req.hdr puzzlement

2016-03-18 Thread Jim Freeman
I'm trying to add a header only if the last occurrence of it is not the frontend_name (%f), but the header field name comparison seems to be case sensitive when it should not be ? haproxy.cfg listen foo.bar bind :10001 mode http log 127.0.0.1:514 local2 debug info acl XOH_OK

Re: case @req.hdr puzzlement

2016-03-18 Thread Cyril Bonté
Hi Jim, Le 18/03/2016 21:52, Jim Freeman a écrit : I'm trying to add a header only if the last occurrence of it is not the frontend_name (%f), but the header field name comparison seems to be case sensitive when it should not be ? The analysis is not correct. haproxy.cfg listen

RE: General SSL vs. non-SSL Performance

2016-03-18 Thread Christian Ruppert
Hi Lukas, On 2016-03-16 16:53, Lukas Tribus wrote: The "option httpclose" was on purpose. Also the client could (during a attack) simply do the same and achieve the same result. I don't think that will help in such cases. So what you are actually and purposely benchmarking are SSL/TLS

Re: General SSL vs. non-SSL Performance

2016-03-18 Thread Aleksandar Lazic
Hi. Am 16-03-2016 15:17, schrieb Christian Ruppert: Hi, this is rather HAProxy unrelated so more a general problem but anyway.. I did some tests with SSL vs. non-SSL performance and I wanted to share my results with you guys but also trying to solve the actual problem So here is what I did:

Re: General SSL vs. non-SSL Performance

2016-03-18 Thread Willy Tarreau
Hi Christian, On Fri, Mar 18, 2016 at 11:31:57AM +0100, Christian Ruppert wrote: > I also just stumbled over this: > https://software.intel.com/en-us/articles/accelerating-ssl-load-balancers-with-intel-xeon-v3-processors > Might be interesting for others as well. So ECC and multi-threaded/process