HAProxy Download/Upload Rates issue

@makarai wrote:

Hey All,

firstly i like to say that I am quite new to haproxying and would like to display what i have set up so you guys know what my infrastructure looks like.

My overall system looks like the following and is setup to function in 1Gbit full duplex (no jumbo frames within the network, MTU 1500 MSS 1460)

WAN -- PFSENSE (DNS Resolver and HAProxy) -- SWITCH __ Webserver 1 -- Many Services on different Ports
                                                    \__Webserver 2 -- Many Services on differnt Ports
                                                     \__ Pc and Wifi things

Or in Ip Related Terms

W.A.N.IP -- PFSENSE (192.168.0.1) -- SWITCH __ Webserver 1 (192.168.0.19) -- Many Services on different Ports
                                             \__Webserver 2 (192.168.0.21) -- Many Services on differnt Ports
                                              \__ PC (192.168.0.172)

On my Webserver 1 under port 2020 i have setup a html5 speedtest namely (https://github.com/adolfintel/speedtest) which works fairly nicely, i.e., if i visti 192.168.0.19:2020 i will be greeted with my speed test interface, and if i execute it i, i’ll get upload and download rates close to the maximum of 1Gbit, its in the lan so that great! When i visit my W.A.N.IP:2021 which is forwarded to 192.168.0.19:2020 the same applies.

However, now the HAproxy part comes in, I also have a domain with speedtest.example.wtf and a vailid ssl certificate which is offloaded with HAproxy so when I visit https://speedtest.example.wtf i’ll be greated with my speedtest interface. However when i execute the speedtest i’ll get download rates of close and constant to 500Mbit (webservers uploadspeed) and Upload rates of 1000Mbit (servers downloadspeed)

Now to my questions:
It is weird to me that my download rates are limited as soon as the HAproxy is in between, are there some stupid things i forgot to setup, does ssl offloading influence this at all?

My PFSENSE:

Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz Current: 1400 MHz, Max: 1601 MHz 4 Gig Ram 4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads State table size 0.4% (1640/396000) MBUF Usage 4% (10386/246072)

here my Ha.cfg

# Automaticaly generated, dont edit manually.
# Generated on: 2017-11-30 17:34
global
	maxconn			10000
	stats socket /tmp/haproxy.socket level admin
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state
	tune.ssl.maxrecord 1370
	ssl-default-bind-options no-sslv3 no-tls-tickets
	ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend frontend1_http
	bind			192.168.0.15:80 name 192.168.0.15:80
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			acl-https	hdr_beg(host) -i chat
	acl			acl-https	hdr_beg(host) -i ombi
	acl			acl-https	hdr_beg(host) -i mb
	acl			acl-https	hdr_beg(host) -i rss
	acl			acl-https	hdr_beg(host) -i latex
	acl			acl-https	hdr_beg(host) -i blog
	acl			acl-https	hdr_beg(host) -i plex
	acl			acl-https	hdr_beg(host) -i jd
	acl			acl-https	hdr_beg(host) -i home
	acl			acl-https	hdr_beg(host) -i fab
	acl			acl-https	hdr_beg(host) -i pf
	acl			acl-https	hdr_beg(host) -i hydra
	http-request redirect scheme https  if  acl-https

frontend frontend2_sni
	bind			192.168.0.15:443 name 192.168.0.15:443
	mode			tcp
	log			global
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			cloud_sni	req.ssl_sni -m beg -i cloud
	tcp-request content accept if { req.ssl_hello_type 1 }

	use_backend backend_cloud_https_ipvANY  if  cloud_sni
	default_backend backend_offloading_https_ipvANY

frontend frontend3_offloading
	bind			127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/frontend3_offloading.pem
	bind /tmp/haproxy_chroot/frontend3_offloading.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/frontend3_offloading.pem
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	#
	rspidel ^Server:.*$
	rspidel ^X-Powered-By:.*$
	rspidel ^X-AspNet-Version:.*$
	http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
	#http-response set-header X-Frame-Options SAMEDOMAIN
	http-response set-header X-Content-Type-Options nosniff
	acl			chatACL	hdr_beg(host) -i chat
	acl			ombiACL	hdr_beg(host) -i ombi
	acl			latexACL	hdr_beg(host) -i latex
	acl			rssACL	hdr_beg(host) -i rss
	acl			mbACL	hdr_beg(host) -i mb
	acl			embyACL	hdr_beg(host) -i emby
	acl			plexACL	hdr_beg(host) -i plex
	acl			jdACL	hdr_beg(host) -i jd
	acl			homeACL	hdr_beg(host) -i home
	acl			fabACL	hdr_beg(host) -i fab
	acl			pfACL	hdr_beg(host) -i pf
	acl			hydraACL	hdr_beg(host) -i hydra
	acl			aclcrt_frontend3_offloading	hdr_reg(host) -i ^([^\.]*)\.example\.de(:([0-9]){1,5})?$
	acl			aclcrt_frontend3_offloading	hdr_reg(host) -i ^example\.de(:([0-9]){1,5})?$
	use_backend backend-chat_http_ipv4  if  chatACL aclcrt_frontend3_offloading
	use_backend backend-ombi_http_ipv4  if  ombiACL aclcrt_frontend3_offloading
	use_backend backend-latex_http_ipv4  if  latexACL aclcrt_frontend3_offloading
	use_backend backend-rss_http_ipv4  if  rssACL aclcrt_frontend3_offloading
	use_backend backend-emby_http_ipv4  if  embyACL aclcrt_frontend3_offloading
	use_backend backend-plex_http_ipv4  if  plexACL aclcrt_frontend3_offloading
	use_backend backend-jd_http_ipv4  if  jdACL aclcrt_frontend3_offloading
	use_backend backend-emby_http_ipv4  if  mbACL aclcrt_frontend3_offloading
	use_backend backend-home_http_ipv4  if  homeACL aclcrt_frontend3_offloading
	use_backend backend-fabian-blog_http_ipv4  if  fabACL aclcrt_frontend3_offloading
	use_backend backend-pf_http_ipv4  if  pfACL aclcrt_frontend3_offloading
	use_backend backend-hydra_http_ipv4  if  hydraACL aclcrt_frontend3_offloading
	use_backend backend-kai-blog_http_ipv4  if   aclcrt_frontend3_offloading

backend backend_cloud_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			cloud 192.168.0.21:2443 check-ssl  verify none

backend backend_offloading_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			backend-to-frontend /frontend3_offloading.socket send-proxy-v2-ssl-cn check inter 1000

backend backend-chat_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			chat 192.168.0.21:3000 check inter 1000

backend backend-ombi_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			ombi 192.168.0.19:3579 check inter 1000

backend backend-latex_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			latex 192.168.0.21:5000 check inter 1000

backend backend-rss_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			rss 192.168.0.21:2280 check inter 1000

backend backend-emby_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	errorfile			503 /var/etc/haproxy/errorfile_backend-emby_http_ipv4_503_customerror
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	# add some security related headers
	# rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block
	server			emby_warden 192.168.0.102:8096 check inter 1000

backend backend-plex_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			emby_warden 192.168.0.102:8096 check inter 1000
	server			emby_wardenssl 192.168.0.102:8920 ssl check inter 1000  verify none

backend backend-jd_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	errorfile			503 /var/etc/haproxy/errorfile_backend-jd_http_ipv4_503_customerror
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			jd 192.168.0.19:2020 check inter 1000

backend backend-home_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			homepi 192.168.0.191:8123 check inter 1000

backend backend-fabian-blog_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			chat 192.168.0.21:2370 check inter 1000

backend backend-pf_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			pf-rancherqnap 192.168.0.19:9001 check inter 1000

backend backend-hydra_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			hydra 192.168.0.19:6050 check inter 1000

backend backend-kai-blog_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			chat 192.168.0.21:2369 check inter 1000

Thanks Guys! Cheers

Posts: 1

Participants: 1

Read full topic