Hi.
Am 16-03-2016 15:17, schrieb Christian Ruppert:
> Hi,
>
> this is rather HAProxy unrelated so more a general problem but anyway..
> I did some tests with SSL vs. non-SSL performance and I wanted to share
> my
> results with you guys but also trying to solve the actual problem
>
> So here is what I did:
[snipp]
> A test without SSL, using "ab":
> # ab -k -n 5000 -c 250 http://127.0.0.1:65410/
[snipp]
> That's much worse than I expected it to be. ~144 requests per second
> instead of
> 42*k*. That's more than 99% performance drop. The cipher a moderate but
> secure
> (for now), I doubt that changing the cipher will help a lot here.
> nginx and HAProxy
> performance is almost equal so it's not a problem with the server
> software.
> One could increase nbproc (at least in my case it only increased up to
> nbproc 4,
> Xeon E3-1281 v3) but that's just a rather minor enhancement. With those
> ~144 r/s
> you're basically lost when being under attack. How did you guys solve
> this problem?
> External SSL offloading, using hardware crypto foo, special
> cipher/settings tuning,
> simply *much* more hardware or not yet at all?
You run both client & server on the same machine
Maybe you are running out of entropy?
Are you able to run the client on a different machine?
BR Aleks
Am 16-03-2016 15:17, schrieb Christian Ruppert:
> Hi,
>
> this is rather HAProxy unrelated so more a general problem but anyway..
> I did some tests with SSL vs. non-SSL performance and I wanted to share
> my
> results with you guys but also trying to solve the actual problem
>
> So here is what I did:
[snipp]
> A test without SSL, using "ab":
> # ab -k -n 5000 -c 250 http://127.0.0.1:65410/
[snipp]
> That's much worse than I expected it to be. ~144 requests per second
> instead of
> 42*k*. That's more than 99% performance drop. The cipher a moderate but
> secure
> (for now), I doubt that changing the cipher will help a lot here.
> nginx and HAProxy
> performance is almost equal so it's not a problem with the server
> software.
> One could increase nbproc (at least in my case it only increased up to
> nbproc 4,
> Xeon E3-1281 v3) but that's just a rather minor enhancement. With those
> ~144 r/s
> you're basically lost when being under attack. How did you guys solve
> this problem?
> External SSL offloading, using hardware crypto foo, special
> cipher/settings tuning,
> simply *much* more hardware or not yet at all?
You run both client & server on the same machine
Maybe you are running out of entropy?
Are you able to run the client on a different machine?
BR Aleks