Speeding up HAProxy SSL with multiple CPU processes.

This is a guide on how to speed up SSL on HAProxy. In this post, I will show you how to dedicate specific CPU processes to HTTP and HTTPS traffic. i.e. We will dedicate one HAProxy process to plain HTTP traffic and three processes to HTTPS / SSL traffic.

Why?

The answer is pretty simple. Plain HTTP routing is less expensive than SSL. HTTPS requires SSL handshakes and a lot of other CPU intensive operations. By doing this, we give HTTP it’s own space and we give SSL more cores to work off.

Figure out how many CPU cores you have.

Firstly, you will need to figure out how many CPU cores that your system has. A good rule of thumb is to create one HAProxy process for each core that is on your system. By default, HAProxy only uses one core, so we will need to change that.

If you do not know how many CPU cores your system has, then you can run the following Linux command:

In my case, the above command returned “Cores = 4”, so I will create four HAProxy processes.

Setting up the HAProxy multi-process model with nbproc.

TheĀ nbproc parameter allows us to tell HAProxy how many processes it should use. In the configuration example below, I created four separate processes and then mapped them to a specific CPU set:

Note that the nbproc parameter should be placed in the global section of your haproxy.cfg file.

What does the cpu-map directive do?

The cpu-map directive binds a process to a specific CPU set. From what I’ve read on the subject, using nbproc without the cpu-map directive is not as effective. This is because the default behavior of the Linux kernel is for processes to inherit CPU affinity from the parent. Essentially, this means that without the cpu-map directive, each HAProxy process would run on the same CPU. So instead of having four processes running on four cores, we would end up with four processes running on one CPU core.

That is not what we want to do here.

Binding processes to ports.

Now that we have four processes, we can bind them to specific ports. On a regular HAProxy setup, you might have something like this in your listen section:

In the configuration above, HAProxy is listening on the IP4 and IP6 versions of port 80 and port 443.

What we want to do is dedicate one process to port 80 and three processes to port 443. To do this, we can use the process option like so:

If you have separate frontend sections for HTTP and HTTPS, then you could so something like this:

In the configuration above, we did the exact same thing in a different way.

Confirming.

Once you are happy with your changes and HAProxy has been reloaded, you can confirm that your changes have taken effect by running the following command:

When I ran the command above, I saw the following results:

If you look at the PIDs, you can see that four separate HAProxy processes exist and that three of them are listening on port 443 (if you are wondering why there are eight lines above, it’s because we are supporting IPv4 and IPv6 on each port).

Facebook Comments