Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions bench-scripts/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,33 @@ Apart from adjusting paths in nginx.conf the script also sets
option `work_process` to auto. Nginx server configuration is
saved along the results for each test.

## HA-proxy

The HA-proxy configuration for tests is based on State of SSL stacks [8]
paper published by HA-proxy project. The test uses chain of 10 hA-proxy
instances by default. You may use `BENCH_PROXY_CHAIN` env. variable to
change that. The test collects results for 1, 2, 4, ..., 32, 64 threads.
It uses h1load [9] and siege [6]. Both HA-proxy and h1load client are
linked with target SSL library for testing. The h1load client runs with
options as follows:

# h1load \
-c 1280 \ # 1280 concurrent connections
-n 40000 \ # 40000 requests per connection
-r 1 \ # 1 request per connection
-P \ # gather percentile data (currently not processsed)
-t 64 \ # number of threads
https://127.0.0.1:xxxx

The h1load client fetches a static content provided by HA-proxy. The benchmark
uses the h1load test duration to compare SSL libraries. The longer duration the
worse result.

The siege client does not build with aws-lc library. To workaround that,
all siege tests connect to HA-proxy via, which then establishes SSL connection
towards httpterm [10] server. To collect performance data The siege client
executes requests which fetch 1k of data from httpterm server.

## Build requirements

Requirements for ubuntu are the following:
Expand Down Expand Up @@ -145,3 +172,9 @@ should be named as `bench_run_xtool.sh`
[6]: https://www.joedog.org/siege-home/

[7]: https://www.joedog.org/siege-manual/

[8]: https://www.haproxy.com/blog/state-of-ssl-stacks

[9]: https://github.com/wtarreau/h1load

[10]: https://github.com/wtarreau/httpterm
96 changes: 57 additions & 39 deletions bench-scripts/bench_config_haproxy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -144,15 +144,14 @@ global
ssl-server-verify none

EOF

}

function emit_frontend {
typeset HAPROXY_CONF=$1
typeset REUSE_LABEL=$2
typeset BASEPORT=$3
typeset PROXYCERT=$4
typeset SSL_REUSE=$5
typeset HAPROXY_CONF=$1
typeset REUSE_LABEL=$2
typeset BASEPORT=$3
typeset PROXYCERT=$4
typeset SSL_REUSE=$5


cat <<EOF >> ${HAPROXY_CONF}
Expand All @@ -172,12 +171,16 @@ frontend port${BASEPORT}
EOF
}

#
# http connection to httpterm server. The server
# does not support https
#
function emit_httpterm {
typeset HAPROXY_CONF=$1
typeset REUSE_LABEL=$2
typeset BASEPORT=$3
typeset PROXYCERT=$4
typeset SSL_REUSE=$5
typeset HAPROXY_CONF=$1
typeset REUSE_LABEL=$2
typeset BASEPORT=$3
typeset PROXYCERT=$4
typeset SSL_REUSE=$5

cat <<EOF >> ${HAPROXY_CONF}
defaults ${REUSE_LABEL}
Expand All @@ -199,24 +202,32 @@ backend httpterm${BASEPORT}
EOF
}

#
# make runtime stats available on URL below.
# https://127.0.0.1:{$PORT_RSA_REUSE, $PORT_RSA}, $PORT_EC_REUSE, $PORT_EC}/stats
# see link here to find more information on this:
# https://www.haproxy.com/documentation/haproxy-configuration-tutorials/alerts-and-monitoring/statistics/
#
function emit_stats {
typeset HAPROXY_CONF=$1
typeset BASEPORT=$2
typeset PROXYCERT=$3
typeset HAPROXY_CONF=$1
typeset BASEPORT=$2
typeset PROXYCERT=$3

cat <<EOF >> ${HAPROXY_CONF}
listen port${BASEPORT}
bind ${HOST}:${BASEPORT} ssl crt ${PROXYCERT}
stats enable
stats refresh 5s
stats uri /stats
server next ${HOST}:$(( ${BASEPORT} - 1))

EOF
}

function emit_https_port {
typeset HAPROXY_CONF=$1
typeset PORT=$2
typeset PROXYCERT=$3
typeset HAPROXY_CONF=$1
typeset PORT=$2
typeset PROXYCERT=$3
cat <<EOF >> ${HAPROXY_CONF}
listen port${PORT}
bind ${HOST}:${PORT} ssl crt ${PROXYCERT}
Expand All @@ -225,10 +236,15 @@ listen port${PORT}
EOF
}

#
# the http port is used by siege client.
# proxy accepts http connections and then
# connects with https towards proxy-chain
#
function emit_http_port {
typeset HAPROXY_CONF=$1
typeset HTTP_PORT=$2
typeset PORT=$3
typeset HAPROXY_CONF=$1
typeset HTTP_PORT=$2
typeset PORT=$3

cat <<EOF >> ${HAPROXY_CONF}
listen port${HTTP_PORT}
Expand Down Expand Up @@ -273,6 +289,7 @@ function config_haproxy {
typeset BASEPORT_RSA=''
typeset BASEPORT_EC_REUSE=''
typeset BASEPORT_EC=''
typeset EMIT_STATS=0

if [[ -z "${SSL_LIB}" ]] ; then
SSL_LIB='openssl-=master'
Expand Down Expand Up @@ -321,23 +338,24 @@ function config_haproxy {
emit_httpterm ${HAPROXY_CONF} ${REUSE_LABEL} ${BASEPORT} ${PROXYCERT} ${SSL_REUSE}
fi

TOPPORT=$(( ${BASEPORT} + ${PROXY_CHAIN} ))
BASEPORT=$(( ${BASEPORT} + 1))
TOPPORT=$(( ${BASEPORT} + ${PROXY_CHAIN} - 1 ))
emit_stats ${HAPROXY_CONF} ${BASEPORT} ${PROXYCERT}

BASEPORT=$(( ${BASEPORT} + 1))
EMIT_STATS=1
for PORT in $(seq ${BASEPORT} ${TOPPORT}) ; do
emit_https_port ${HAPROXY_CONF} ${PORT} ${PROXYCERT}
if [[ ${EMIT_STATS} -eq 1 ]] ; then

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indent is off

emit_stats ${HAPROXY_CONF} ${BASEPORT} ${PROXYCERT}
EMIT_STATS=0
else
emit_https_port ${HAPROXY_CONF} ${PORT} ${PROXYCERT}
fi
done

PORT=$(( ${TOPPORT} + 1 ))
#
# tests use siege client without https support.
# so here we create http to https proxy. The proxy
# is created for no-reuse tests only.
#
if [[ ${REUSE_LABEL} = 'no-ssl-reuse' ]] ; then
PORT=$(( ${TOPPORT} + 1 ))
HTTP_PORT=$(( ${PORT} + 1))
emit_http_port ${HAPROXY_CONF} ${HTTP_PORT} ${PORT}
fi
Expand Down Expand Up @@ -380,21 +398,21 @@ function setup_tests {
clean_build

cd "${WORKSPACE_ROOT}"
install_wolfssl 5.8.2 '--enable-haproxy --enable-quic'
install_haproxy wolfssl-5.8.2
install_httpterm wolfssl-5.8.2
install_h1load wolfssl-5.8.2
install_siege wolfssl-5.8.2
config_haproxy wolfssl-5.8.2
install_wolfssl ${HAPROXY_WOLF_VERSION} '--enable-haproxy --enable-quic'
install_haproxy wolfssl-${HAPROXY_WOLF_VERSION}
install_httpterm wolfssl-${HAPROXY_WOLF_VERSION}
install_h1load wolfssl-${HAPROXY_WOLF_VERSION}
install_siege wolfssl-${HAPROXY_WOLF_VERSION}
config_haproxy wolfssl-${HAPROXY_WOLF_VERSION}
clean_build

cd "${WORKSPACE_ROOT}"
install_libressl 4.1.0
install_haproxy libressl-4.1.0
install_httpterm libressl-4.1.0
install_h1load libressl-4.1.0
install_siege libressl-4.1.0
config_haproxy libressl-4.1.0
install_libressl ${HAPROXY_LIBRE_VERSION}
install_haproxy libressl-${HAPROXY_LIBRE_VERSION}
install_httpterm libressl-${HAPROXY_LIBRE_VERSION}
install_h1load libressl-${HAPROXY_LIBRE_VERSION}
install_siege libressl-${HAPROXY_LIBRE_VERSION}
config_haproxy libressl-${HAPROXY_LIBRE_VERSION}
clean_build

#
Expand Down
Loading