Hi,
I am searching for help with understanding of qtime KPI nature for
haproxy, and possible optimization of my installation in this perspective.
We are using *haproxy 1.5.14* in TCP mode as a L4 load-balancer for HTTPS
endpoints for multiple domain hostnames. We are also using SNI inspection
in order to select proper backend for the request.
And I've noticed that backend *qtime* stat vaue is pretty high (200-300ms),
which disturbs me a lot. *qcur* (current queue lengh) is zero at the same
time. Are we basically slowing down all our requests by 200ms-300ms at
haproxy side? (not sure if I understood this value of qtime properly) Is it
related with SNI inspection? If yes - I am definitely searching the way to
optimize it.
All the installation - haproxy frontend as well as HTTPS backends are
living in AWS Cloud at the moment, and instance sizes are pretty big (c3,
c4), so we don't see any resource limitation.
Example of the config below. Any feedback appreciated.
==
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 40000
ulimit-n 100000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
retries 3
timeout http-request 1s
timeout queue 1m
timeout connect 3s
timeout client 1m
timeout server 30s
timeout http-keep-alive 2s
timeout check 3s
maxconn 40000
frontend https-in *:443
mode tcp
option tcplog
option socket-stats
* tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend foo-ssl if { req_ssl_sni -m beg foo }
use_backend bar-ssl if { req_ssl_sni -m beg bar }*
backend foo-ssl *:443
balance leastconn
mode tcp
option ssl-hello-chk
server foo1 x.x.x.x:443 maxconn 10000 check
server foo2 x.x.x.x:443 maxconn 10000 check
backend bar-ssl *:443
balance leastconn
mode tcp
option ssl-hello-chk
server bar1 x.x.x.x:443 maxconn 10000 check
server bar2 x.x.x.x:443 maxconn 10000 check
==
--
BR,
Pavlo Zhuk
+38093 2412222
I am searching for help with understanding of qtime KPI nature for
haproxy, and possible optimization of my installation in this perspective.
We are using *haproxy 1.5.14* in TCP mode as a L4 load-balancer for HTTPS
endpoints for multiple domain hostnames. We are also using SNI inspection
in order to select proper backend for the request.
And I've noticed that backend *qtime* stat vaue is pretty high (200-300ms),
which disturbs me a lot. *qcur* (current queue lengh) is zero at the same
time. Are we basically slowing down all our requests by 200ms-300ms at
haproxy side? (not sure if I understood this value of qtime properly) Is it
related with SNI inspection? If yes - I am definitely searching the way to
optimize it.
All the installation - haproxy frontend as well as HTTPS backends are
living in AWS Cloud at the moment, and instance sizes are pretty big (c3,
c4), so we don't see any resource limitation.
Example of the config below. Any feedback appreciated.
==
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 40000
ulimit-n 100000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
retries 3
timeout http-request 1s
timeout queue 1m
timeout connect 3s
timeout client 1m
timeout server 30s
timeout http-keep-alive 2s
timeout check 3s
maxconn 40000
frontend https-in *:443
mode tcp
option tcplog
option socket-stats
* tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend foo-ssl if { req_ssl_sni -m beg foo }
use_backend bar-ssl if { req_ssl_sni -m beg bar }*
backend foo-ssl *:443
balance leastconn
mode tcp
option ssl-hello-chk
server foo1 x.x.x.x:443 maxconn 10000 check
server foo2 x.x.x.x:443 maxconn 10000 check
backend bar-ssl *:443
balance leastconn
mode tcp
option ssl-hello-chk
server bar1 x.x.x.x:443 maxconn 10000 check
server bar2 x.x.x.x:443 maxconn 10000 check
==
--
BR,
Pavlo Zhuk
+38093 2412222