Comments on: HAProxy package has landed!

By: rpg

rpg — Wed, 21 Oct 2009 10:18:00 +0000

haproxy doesn’t install on 1.2.3-RC3 embedded. Any assistance is appreciated.

By: Peter van A

Peter van A — Mon, 19 Oct 2009 14:00:17 +0000

I have the same message as Ask Bjørn Hansen only I am on 1.2.3-RC1

By: Ask Bjørn Hansen

Ask Bjørn Hansen — Sat, 17 Oct 2009 22:47:31 +0000

On 1.2.3-RC3 the install aborts with “Parse error: syntax error, unexpected T_STRING in /usr/local/pkg/haproxy.inc on line 92″.

By: Willy Tarreau

Willy Tarreau — Thu, 15 Oct 2009 20:17:20 +0000

@Oroboros: I don’t think your SSL load can be qualified as “high” as it simply does not affect a single machine. I have customers running 4 quad-proc dual-core machines at 30% CPU at only 6000 SSL connections per second. Do the math: 0.30 * 4*4*2 = 10 cores at 100% CPU. I already don’t have any single machine able to sustain this load alone. A more common quad-core machine would barely surpass 2400 SSL connections per second, or about 600 SSL connections per second per core. A same machine can to 30000 HTTP connections per second on a single core. You have a ratio of 1:50 between HTTP and HTTPS here. So I will endlessly repeat it, doing SSL on a single point is wrong if you’re looking for scalability. Doing it in order to simplify a deployment of small to medium applications however is fine.

By: Oroboros

Oroboros — Thu, 15 Oct 2009 14:22:33 +0000

Also, the HAproxy people say this:

Having SSL in the load balancer itself means that it becomes the bottleneck. When the load balancer’s CPU is saturated, the overall response times will increase and the only solution will be to multiply the load balancer with another load balancer in front of them.

We have a very high volume site running on pound with SSL offload, and I barely see the CPU being touched. On a quad core I am running about 5% peak on one core (and suspect that pound lacks true SMP capabilities as other cores appear much more idle).

Client claims their peak usage rate is 1 million visitors a day. Not sure what percentage are doing SSL though. That is only needed in the check-out process, and is likely very small relative to overall load.

With this architecture, the client makes an HTTPS request to the front-end which fulfills it with a plain HTTP request on the back end. In that way, each back-end can service more requests since they don’t have SSL overhead.

I’d like to do arp load-sharing on the front end, but I don’t think that is possible with an application proxy since client-specific values are held in pound’s memory and there is no simple way to share that.

By: Oroboros

Oroboros — Thu, 15 Oct 2009 14:01:57 +0000

@TBF: I need SSL offloading (per client’s specifications). HAProxy appears capable of doing simple tcp relaying to the SSL port, but not actual offloading. The Sept 24th update says “Developments to support keep-alive have already started, and if time permits, SSL integration will be attempted. ”

So it looks hopeful that will be added someday, and if I ever get a real SSL load-balancer with sticky http -> https transitions in pfsense, I’m committed to moving back to that architecture for this project.

By: Aldo

Aldo — Thu, 15 Oct 2009 07:49:56 +0000

I used to install pfSense and and some OpenBSD machines to have haproxy run on it.
Having a singole machine cn speed up deployment a lot.
I’m going to try to see how this all matches up with HA and failover capabilities.
Great!

By: TBF

TBF — Thu, 15 Oct 2009 03:57:01 +0000

I have used haproxy for years. It’s awesome. I’m not sure what your issue with SSL is. I pass SSL through it without any issues whatsoever. This is a huge value add to pfsense in my book!

By: Chris Buechler

Chris Buechler — Wed, 14 Oct 2009 23:41:29 +0000

JPM: not sure which URL you’re talking about, every URL in the post and comments loads fine for me.

By: JPM

JPM — Wed, 14 Oct 2009 23:39:13 +0000

@ Scott Ullrich — the URL you list results in a:

503 Service Unavailable
No server is available to handle this request.