Hi Aleks,
On 2016-03-16 15:57, Aleksandar Lazic wrote:
> Hi.
>
> Am 16-03-2016 15:17, schrieb Christian Ruppert:
>> Hi,
>>
>> this is rather HAProxy unrelated so more a general problem but
>> anyway..
>> I did some tests with SSL vs. non-SSL performance and I wanted to
>> share my
>> results with you guys but also trying to solve the actual problem
>>
>> So here is what I did:
>
> [snipp]
>
>> A test without SSL, using "ab":
>> # ab -k -n 5000 -c 250 http://127.0.0.1:65410/
>
> [snipp]
>
>> That's much worse than I expected it to be. ~144 requests per second
>> instead of
>> 42*k*. That's more than 99% performance drop. The cipher a moderate
>> but secure
>> (for now), I doubt that changing the cipher will help a lot here.
>> nginx and HAProxy
>> performance is almost equal so it's not a problem with the server
>> software.
>> One could increase nbproc (at least in my case it only increased up to
>> nbproc 4,
>> Xeon E3-1281 v3) but that's just a rather minor enhancement. With
>> those ~144 r/s
>> you're basically lost when being under attack. How did you guys solve
>> this problem?
>> External SSL offloading, using hardware crypto foo, special
>> cipher/settings tuning,
>> simply *much* more hardware or not yet at all?
>
> You run both client & server on the same machine
>
> Maybe you are running out of entropy?
> Are you able to run the client on a different machine?
>
> BR Aleks
I also ran 2 parallel "ab" on two separate machines against a third one.
The requests per second were around ~70 r/s per host instead of ~140. So
I doubt it's a entropy problem.
--
Regards,
Christian Ruppert
On 2016-03-16 15:57, Aleksandar Lazic wrote:
> Hi.
>
> Am 16-03-2016 15:17, schrieb Christian Ruppert:
>> Hi,
>>
>> this is rather HAProxy unrelated so more a general problem but
>> anyway..
>> I did some tests with SSL vs. non-SSL performance and I wanted to
>> share my
>> results with you guys but also trying to solve the actual problem
>>
>> So here is what I did:
>
> [snipp]
>
>> A test without SSL, using "ab":
>> # ab -k -n 5000 -c 250 http://127.0.0.1:65410/
>
> [snipp]
>
>> That's much worse than I expected it to be. ~144 requests per second
>> instead of
>> 42*k*. That's more than 99% performance drop. The cipher a moderate
>> but secure
>> (for now), I doubt that changing the cipher will help a lot here.
>> nginx and HAProxy
>> performance is almost equal so it's not a problem with the server
>> software.
>> One could increase nbproc (at least in my case it only increased up to
>> nbproc 4,
>> Xeon E3-1281 v3) but that's just a rather minor enhancement. With
>> those ~144 r/s
>> you're basically lost when being under attack. How did you guys solve
>> this problem?
>> External SSL offloading, using hardware crypto foo, special
>> cipher/settings tuning,
>> simply *much* more hardware or not yet at all?
>
> You run both client & server on the same machine
>
> Maybe you are running out of entropy?
> Are you able to run the client on a different machine?
>
> BR Aleks
I also ran 2 parallel "ab" on two separate machines against a third one.
The requests per second were around ~70 r/s per host instead of ~140. So
I doubt it's a entropy problem.
--
Regards,
Christian Ruppert