Set HAProxy Diffie-Hellman key size to 2048 #685
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HA-Proxy version on RasPi Buster is
HA-Proxy version 1.8.19-1+rpi1 2019/03/14
Running a test of the config file
sudo haproxy -c -f /etc/haproxy/haproxy.cfg
Generates the warning
```
[WARNING] 291/152612 (2843) : Setting tune.ssl.default-dh-param to 1024 by default,
if your workload permits it you should set it to at least 2048.
Please set a value >= 1024 to make this warning disappear.
```
Documentation for this feature states that higher values might increase server load.
Higher values increase CPU load and may not be supported by some clients (IE:Java 7).
Tested with values both at 1024 and 2048
Assuming that the use-case for OctoPrint is usually one user at a time,
tested on a RasPi 3B with `ab -n 20 -c 1 ...` and also tested by firefox browser
by refreshing the home page at about 1 request per second.
Load tests showed no measureable difference in user load (uptime)
between a value of 1024 and the recommend value 2048.
Tests using `ab` showed no measurable difference in response time or failure rate
between 1024 and 2048 (2048 was actually faster, but might have been due to caching).
Adding `tune.ssl.default-hd-param 2048` to haproxy.cfg file gets rid of
warning message and does not measurably impact performance
|
I would set the commit message to 'Set HAProxy Diffie-Hellman key size to 2048.' |
guysoft
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Testing the haproxy.cfg file using the version of haproxy installed by OctoPi generates a warning.
HA-Proxy version on RasPi Buster is
HA-Proxy version 1.8.19-1+rpi1 2019/03/14
To test the config file by haproxy use the '-c' (check) flag as
sudo haproxy -c -f /etc/haproxy/haproxy.cfgwhich generates the warning
HA-Proxy Documentation for tune.ssl.default-dh-param feature states
Higher values increase CPU load and may not be supported by some clients (IE:Java 7).This only affects SSL traffic. Non-encrypted traffic is unaffected.
Adding
tune.ssl.default-hd-param XXXXto haproxy.cfg file gets rid of haproxywarning message where XXXX can be any positive integer.
Tested with values both at 1024 (default) and 2048 (recommended)
Tested on a RasPi 3B with
ab -n 20 -c 1 ...and also tested by firefox browserby refreshing the home page at about 1 request per second. (e.g. a few people
impatiently reloading the OctoPrint pages repeatedly).
Load tests showed no measurable difference in user load (uptime)
between a value of 1024 and the recommend value 2048.
Tests using
abshowed no measurable difference in response time or failure ratebetween 1024 and 2048 (2048 was actually faster, but might have been due to caching).
HA-Proxy recommended value of 2048 does not measurably impact
performance vs the default of 1024.