> 2) you didn't specify any process binding in ssl_termination, so the
> kernel wakes all processes with incoming connections, and a few of
> them take some and the other ones go back to sleep. With a kernel
> 3.9 or later, you can multiply the "bind" lines and bind each of them
> to a different process. The load will be much better distributed :
>
> listen ssl_termination
> bind 0.0.0.0:443 process 1 ssl crt /webapps/ssl/haproxy.new.crt
> ciphers AES-128-CBC:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM no-ssl3
> bind 0.0.0.0:443 process 2 ssl crt /webapps/ssl/haproxy.new.crt
> ciphers AES-128-CBC:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM no-ssl3
> ...
According to the docs the process parameter supports lists and ranges so
shouldn't it be better to use this syntax to avoid all the duplication
of parameters:
listen ssl_termination
bind 0.0.0.0:443 process 1-X ssl crt
/webapps/ssl/haproxy.new.crt ciphers
AES-128-CBC:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM no-ssl3
Regards,
Dennis
