Content Cache Charm

Merge ~hloeung/content-cache-charm:haproxy-config into content-cache-charm:master

  1. Git
  2. lp:~hloeung/content-cache-charm
  3. haproxy-config
  4. Merge into master
Proposed by Haw Loeung
Status: Merged
Approved by: Haw Loeung
Approved revision: f0812ea9c54e8daa955583e60c299477c0984d69
Merged at revision: a1fcac903113718953671597d4a1a46b8a3848fb
Proposed branch: ~hloeung/content-cache-charm:haproxy-config
Merge into: content-cache-charm:master
Diff against target: 76 lines (+32/-0)
4 files modified
templates/haproxy_cfg.tmpl (+8/-0)
tests/unit/files/content_cache_rendered_haproxy_test_output.txt (+8/-0)
tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt (+8/-0)
tests/unit/files/haproxy_config_rendered_test_output.txt (+8/-0)
Reviewer Review Type Date Requested Status
Joel Sing (community) +1 Approve
Canonical IS Reviewers Pending
Canonical IS Reviewers Pending
Review via email: mp+380460@code.launchpad.net

This proposal supersedes a proposal from 2020-03-09.

Commit message

Increase HAProxy SSL/TLS session cache

Default cache size is 20k. We want to improve user experience by
reducing TTFB. Obviously this applies to vistors revisiting sites.

Rather than hardcode high values here, let's just dynamically
calculate this using global_max_connections (which is a combination of
num. of cores and num. of configured sites). Each entry requires ~200
bytes so on a host iwth say 32 CPUs, 10 sites configured, each with
the default 2000 maxconns, it will only consume around 122 Mbytes,
which is not much!

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : Posted in a previous version of this proposal

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : Posted in a previous version of this proposal

Unable to determine commit message from repository - please click "Set commit message" and enter the commit message manually.

Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Joel Sing (jsing) wrote :

LGTM, see comments inline.

Also, as discussed, it would be preferable to use session tickets which removes the need for state to be stored on the servers and allows session resumption across all frontends if they share keys. The challenge is ensuring frequent rotation and preferably not persisting ticket keys to disk.

review: Approve (+1)
Revision history for this message
Haw Loeung (hloeung) wrote :

Filed LP:1866746 to look into and implement session tickets.

Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision a1fcac903113718953671597d4a1a46b8a3848fb

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/templates/haproxy_cfg.tmpl b/templates/haproxy_cfg.tmpl
2index aee0e16..f2665dc 100644
3--- a/templates/haproxy_cfg.tmpl
4+++ b/templates/haproxy_cfg.tmpl
5@@ -24,6 +24,14 @@ global
6 # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
7 tune.ssl.default-dh-param 2048
8
9+ # Increase the SSL/TLS session cache from the default 20k. But
10+ # rather than hardcode values, let's just dynamically calculate it
11+ # and using global_max_connections. Each entry requires ~200 bytes
12+ # so on a host with say 32 CPUs, 10 sites, each with 2000 max
13+ # conns will only consume around 122 Mbytes (32 * 10 * 2000 *
14+ # 200), which is not much.
15+ tune.ssl.cachesize {{global_max_connections}}
16+
17 defaults
18 log global
19 maxconn {{max_connections}}
20diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
21index 73063ab..6b78db5 100644
22--- a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
23+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
24@@ -24,6 +24,14 @@ global
25 # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
26 tune.ssl.default-dh-param 2048
27
28+ # Increase the SSL/TLS session cache from the default 20k. But
29+ # rather than hardcode values, let's just dynamically calculate it
30+ # and using global_max_connections. Each entry requires ~200 bytes
31+ # so on a host with say 32 CPUs, 10 sites, each with 2000 max
32+ # conns will only consume around 122 Mbytes (32 * 10 * 2000 *
33+ # 200), which is not much.
34+ tune.ssl.cachesize 106496
35+
36 defaults
37 log global
38 maxconn 8192
39diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt
40index cad0ce4..51ef6a4 100644
41--- a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt
42+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt
43@@ -24,6 +24,14 @@ global
44 # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
45 tune.ssl.default-dh-param 2048
46
47+ # Increase the SSL/TLS session cache from the default 20k. But
48+ # rather than hardcode values, let's just dynamically calculate it
49+ # and using global_max_connections. Each entry requires ~200 bytes
50+ # so on a host with say 32 CPUs, 10 sites, each with 2000 max
51+ # conns will only consume around 122 Mbytes (32 * 10 * 2000 *
52+ # 200), which is not much.
53+ tune.ssl.cachesize 104000
54+
55 defaults
56 log global
57 maxconn 8000
58diff --git a/tests/unit/files/haproxy_config_rendered_test_output.txt b/tests/unit/files/haproxy_config_rendered_test_output.txt
59index e1b10d9..341f796 100644
60--- a/tests/unit/files/haproxy_config_rendered_test_output.txt
61+++ b/tests/unit/files/haproxy_config_rendered_test_output.txt
62@@ -24,6 +24,14 @@ global
63 # We'll eventually disable DHE (LP#1825321), but for now, bump DH params
64 tune.ssl.default-dh-param 2048
65
66+ # Increase the SSL/TLS session cache from the default 20k. But
67+ # rather than hardcode values, let's just dynamically calculate it
68+ # and using global_max_connections. Each entry requires ~200 bytes
69+ # so on a host with say 32 CPUs, 10 sites, each with 2000 max
70+ # conns will only consume around 122 Mbytes (32 * 10 * 2000 *
71+ # 200), which is not much.
72+ tune.ssl.cachesize 15000
73+
74 defaults
75 log global
76 maxconn 5000

Subscribers

People subscribed via source and target branches