I've setup a simple haproxy instance on a clean install of Debian 10 Buster. I've added some simple necessary config to enable the passthrough to the IP address in question (which has been redacted in the below config).
The config file:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend myfrontend
bind *:80
mode tcp
default_backend mybackendhttp
frontend myfrontendhttps
bind *:443
mode tcp
use_backend mybackendhttps
backend mybackendhttp
mode tcp
option ssl-hello-chk
server server1 ***********:80
backend mybackendhttps
mode tcp
option ssl-hello-chk
server server1 ************:443
The changes I did (if I do a diff with the original file) (redacted ip):
+
+
+frontend myfrontend
+ bind *:80
+ mode tcp
+ default_backend mybackendhttp
+
+frontend myfrontendhttps
+ bind *:443
+ mode tcp
+ use_backend mybackendhttps
+
+backend mybackendhttp
+ mode tcp
+ option ssl-hello-chk
+ server server1 ***********:80
+
+backend mybackendhttps
+ mode tcp
+ option ssl-hello-chk
+ server server1 **********:443
Everything works correctly, but for some reason the network performance is incredibly slow when doing a browser request from my PC, curl request via command line or mobile, I'm getting about 200-300kb/s when usually I'd be getting around 10x that.
If I try the same request via curl on a VPS I get a much higher speed (5000kb/s).
The haproxy is running on a GCP compute instance VM so I doubt it'd be a network bandwidth issue, but I can try setup a simple static http service and see how that compares.
What might be the cause of the issue? How could I diagnose this? Would enabling logs on haproxy provide better insight into this issue?
I have come across the following question which also seems to describe similar behavior:
HAProxy SSL Responses Very Slow
the OpenSSL library needs to have the hostname properly set in /etc/hosts
However it's not clear to me what "properly set" means.
