On 25/11/2014 07:08 μμ, Lukas Tribus wrote: >> Hi, > > Thanks for your reply. We have tried this approach and while > it gives > some benefit, the haproxy process itself > remains cpu-bound, > with no idle time at all - with both pidstat and perf > reporting that > it uses close to 100% > of available cpu while running. I think SSL/TLS > termination is the only use case where HAProxy saturates a CPU core of a > current generation 3,4Ghz+ CPU, which is why scaling SSL/TLS is more > complex, requiring nbproc> 1. Lukas
I am experiencing the same 'expected' behavior, where SSL computation drives HAProxy CPU user level to high numbers. Using SSL tweaks like ECDSA/ECDH algorithms/TLS session id/ticketing helps but it is not the ultimate solution. HAProxy guys had a webinar about HAProxy and SSL few weeks ago, and they mentioned about using multiple processes. They also mentioned about SSL cache being shared between all these processes, which is a very efficient. Cheers, Pavlos
signature.asc
Description: OpenPGP digital signature
