1

i have a haproxy setup on a virtual machine using kvm with 8 cores and 4Gb of memory.
i,m using it as a load balancer with SSL offloading(with verify required).
the server has a load average of 1.7 and is using only about a gigabyte of memory.
the SSL offload takes about 450ms.
my question is why the server is not using the full resources to decrease response time.
what is causing the event loop to stall.
i have enabled multi process in my config
here is the configuraion: 

global
  nbproc 8
  cpu-map 1 0
  cpu-map 2 1
  cpu-map 3 2
  cpu-map 4 3
  cpu-map 5 4
  cpu-map 6 5
  cpu-map 7 6
  cpu-map 8 7

  log 127.0.0.1 local0
  maxconn 20000
  daemon
  uid 99
  gid 99
  tune.ssl.default-dh-param 2048
  tune.ssl.cachesize 1000000
  tune.bufsize 32768
  stats socket /var/run/haproxy1.sock mode 600 level admin process 1
  stats socket /var/run/haproxy2.sock mode 600 level admin process 2
  stats socket /var/run/haproxy3.sock mode 600 level admin process 3
  stats socket /var/run/haproxy4.sock mode 600 level admin process 4
  stats socket /var/run/haproxy5.sock mode 600 level admin process 5
  stats socket /var/run/haproxy6.sock mode 600 level admin process 6
  stats socket /var/run/haproxy7.sock mode 600 level admin process 7
  stats socket /var/run/haproxy8.sock mode 600 level admin process 8
  stats timeout 2m #Wait up to 2 minutes for input

#listen stats
#  bind :9001
#  mode http
#  stats enable
#  stats hide-version
#  stats realm Haproxy\ Stats
#  stats uri /haproxy_stats
#  stats auth  admin:sfPalang
#  stats admin if TRUE

defaults
  log     global
  mode    http
  maxconn 10000
  # option  httplog
  option  redispatch
  option  dontlognull
  retries                 3
  timeout http-request    10s
  timeout queue           1m
  timeout connect         10s
  timeout client          1m
  timeout server          1m
  timeout http-keep-alive 10s
  timeout check           10s

frontend https_frontend
  bind 0.0.0.0:443 ssl crt PEM_FILE ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ca-file /home/arsalan/rootCA.pem verify required process 1-8
  mode http
  option httpclose
  option forwardfor
  reqadd X-Forwarded-Proto:\ https

  SOME BACKEND CONFIGS (http backends with roundrobin config)
moses
  • 83
  • 1
  • 12
  • you need to bind your https_frontend to some specific processes using bind-process option – c4f4t0r Feb 23 '20 at 11:38
  • i have tried using a single bind process with process 1-8 like the presented config and also using 8 different bind processes like bind 0.0.0.0:443 process 1, 0.0.0.0:443 process 2, ... – moses Feb 23 '20 at 12:04
  • What is the client to server latency? There are two additional RTT's for TLS – Brennen Smith Feb 24 '20 at 18:58
  • i don't think client to server latency is related to ssl offload but it is about 40ms plus it still does not justify the haproxy no using full resources – moses Feb 26 '20 at 11:52

1 Answers1

0

Starting from 2.0 you don't have to use nbproc anymore, you can remove all the multi-process related configuration and HAProxy instead will start by default with as many threads as cpus available.
This may provide a better usage in your case.

Mo3m3n
  • 414
  • 2
  • 6
  • would i be able to just remove the multiprocess part and use this config in version 2? or do i need to make other changes? – moses Feb 26 '20 at 12:11
  • Just remove the multi-proc related parts – Mo3m3n Feb 26 '20 at 19:52
  • i did more research and i realized there is a way to get how much of the time haproxy event loop is waiting in idle mode. after reading lots of docs i still cant figure out why my event loop is idle about 90 percent of the time and what is it waiting for? any way to track haproxy event loop and see where it waits and what for? should i run in debug mode? – moses Mar 15 '20 at 02:08