tune.h2.max-frame-size 4048576 tune.pipesize 4048576 tune.h2.initial-window-size 1048576 tune.h2.be.initial-window-size 1048576 tune.h2.fe.initial-window-size 1048576
I have a question about HAproxy SSL performance with large downloads:Using a NAT port forward to an internal HTTPS nginx server, I get full wire speed i.e. (45 MByte/s) from the outside, but using HAproxy following this tutorial, I am limited to download speeds of ~4-5 MByte/s.I have tried to use HTTP instead of HTTPs for the backend server connection to no avail.I suspected that the SSL termination would lead to an interrupt of the streaming flow in that each packet must be acknowledged over the whole chain before the next one can get requested, so I have somewhat optimized my throughput by a factor of 2 via this tuning:Code: [Select] tune.h2.max-frame-size 4048576 tune.pipesize 4048576 tune.h2.initial-window-size 1048576 tune.h2.be.initial-window-size 1048576 tune.h2.fe.initial-window-size 1048576But it seems that the HTTPS termination within HAproxy itself is the culprit. I found some other source that suggest there might be a problem with only some ISPs showing that behaviour when SSL traffic is terminated by HAproxy.Does everybody else see this or may my ISP really be the culprit?
That's strange... Do you have OPNsense version 24.1.6 installed?
I also use direct peering, no tunnels or anything. FWIW, the issue does not happen when I access the port from inside, i.e. without any delays. So it is not a general bottleneck. I see it happen only when I access the service from outside, with different counterparts.
- OpenSSL: version 3.1 is now supported. It's less slow than 3.0 but still significantly slower than 1.1.1, but might be usable for most users with a low enough traffic.