Hi all,
I am getting a big performance hit with SSL termination for small I/O, and
errors
when testing with bigger I/O sizes (ab version is 2.3):
1. Non-SSL vs SSL for small I/O (128 bytes):
ab -k -n 100 -c 500 http://HAPROXY/128
RPS: 181763.65 vs 133611.69- 27% drop
BW:
DearSir/Madam,
BelowLEDlightsaretop4sellingin=Europe.1,LEDHighBayLights30Wto200W.2,LEDstreetlight40W-400W3,LEDFloodlight10W-500W
nb=sp; =nbsp; nbsp=; nb=sp;
4,LEDtubeandled=panellight9W-72W,dimmableisavailable.
Hi Pawel,
On Tue, May 19, 2015 at 02:47:41PM -0700, Pawel Veselov wrote:
This settings should theoretically make
haproxy behave exactly the same.
So think that somehow, 1.5 was creating or keeping a lot more open
connections at a time, and depriving the kernel, or its own limits of
Hi,
On Thu, May 21, 2015 at 11:31:52AM +0530, Krishna Kumar (Engineering) wrote:
Hi all,
I am getting a big performance hit with SSL termination for small I/O, and
errors
when testing with bigger I/O sizes (ab version is 2.3):
1. Non-SSL vs SSL for small I/O (128 bytes):
ab -k -n
Title: BricoPriv
Pour visualiser correctement ce message, accédez à la version en ligne
Ventes Prives Bricolage & Jardinage : remises jusqu -80% !
Bricoprive.com est le site de ventes prives ddies au
Wiilly, Lucas, thank you so much for analyzing my configs and your help.
We did find out what was wrong.
Some long time ago we added 'option nolinger' to the defaults section. This
was figured by trial and error, and that option, on 1.4, served us well to
the point of us forgetting about it.
Hello,
I encounter a problem with dhparam configuration, if i have 2 bind lines, a
tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
pem file, ALL bind lines will use 1024, the one with the custom group will
work as expected, and the one without will use the default Oakley
Hi Hervé,
On 05/21/2015 10:11 PM, Hervé Commowick wrote:
I encounter a problem with dhparam configuration, if i have 2 bind lines, a
tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
pem file, ALL bind lines will use 1024, the one with the custom group will
work as
Hi,
from what I've seen in the sources and documentation a default and
pre-generated prime will be used as default (unless appended to the
certificate). HAProxy uses the related functions provided by OpenSSL
itself (get_rfc3526_prime_2048, ...). What I miss here is an option to
specify my
Thanks Baptise,
Let me give this a try.
On May 21, 2015, at 5:26 AM, Baptiste bed...@gmail.com wrote:
it seems your client get connected using HTTPs on the HTTP port of haproxy.
you must make your application aware that SSL offloading is being performed by
a device in front of it.
Some hints:
Hi Rémi,
On Thu, May 21, 2015 at 11:19:15PM +0200, Remi Gacogne wrote:
Hi Hervé,
On 05/21/2015 10:11 PM, Hervé Commowick wrote:
I encounter a problem with dhparam configuration, if i have 2 bind lines, a
tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
pem
Hi Robert,
On Tue, May 19, 2015 at 04:10:54PM -0700, Robert Brooks wrote:
On Mon, May 18, 2015 at 7:58 PM, Willy Tarreau w...@1wt.eu wrote:
It's useless at such sizes. A rule of thumb is that splicing will not be
used at all for anything that completely fits in a buffer since haproxy
Hi Joseph,
On Thu, May 21, 2015 at 10:50:17AM -0700, Joseph Lynch wrote:
Hello Willy,
On Sat, May 16, 2015 at 2:05 AM, Willy Tarreau w...@1wt.eu wrote:
I moved the order of the comparisons around a little bit to ensure
that the redispatch_after variable would be defined (namely if
Hi Pawel,
On Thu, May 21, 2015 at 01:04:42PM -0700, Pawel Veselov wrote:
Wiilly, Lucas, thank you so much for analyzing my configs and your help.
We did find out what was wrong.
Some long time ago we added 'option nolinger' to the defaults section. This
was figured by trial and error, and
Hi Remi,
On Thu, May 21, 2015 at 06:07:34PM +0200, Remi Gacogne wrote:
In the default configuration, Haproxy uses a 1024-bit DH key generated
from the second Oakley group [2] for Diffie-Hellman Ephemeral (DHE) key
exchange. This group is widely used, and is likely to be the first
target for
Haproxy and weakdh/logjam
Hi,
Everyone has probably heard about the recently disclosed weakdh/logjam
attack [0] already. Here are a few personal thoughts on the impact on
Haproxy.
The weakdh issue is twofold:
- if the HTTPS server is willing to accept a cipher suite using a very
weak
On 2015-05-21 18:20, Remi Gacogne wrote:
Hi,
from what I've seen in the sources and documentation a default and
pre-generated prime will be used as default (unless appended to the
certificate). HAProxy uses the related functions provided by OpenSSL
itself (get_rfc3526_prime_2048, ...). What I
Hi,
from what I've seen in the sources and documentation a default and
pre-generated prime will be used as default (unless appended to the
certificate). HAProxy uses the related functions provided by OpenSSL
itself (get_rfc3526_prime_2048, ...). What I miss here is an option to
specify my
You can use your own dhparam by appending it to the file specified with
the crt command, after your certificate chain and key.
Well, I meant globally, as default.
global
tune.ssl.default-dh-param /path/to/custom/dhparams.pem
I don't think it's possible right now, but it should not
19 matches
Mail list logo
