Merge "Optimize HAProxy SSL cache size"

octavia/common/jinja/haproxy/combined_listeners/jinja_cfg.py

@@ -187,6 +187,9 @@ class JinjaTemplater(object):
             constants.INSECURE_FORK)
         enable_prometheus = prometheus_listener and feature_compatibility.get(
             lib_consts.PROTOCOL_PROMETHEUS, False)
+        term_https_listener = any(
+            lsnr.protocol == lib_consts.PROTOCOL_TERMINATED_HTTPS for lsnr in
+            listeners)
 
         jinja_dict = {
             'loadbalancer': loadbalancer,
@@ -209,6 +212,25 @@ class JinjaTemplater(object):
         except (KeyError, TypeError):
             pass
 
+        if term_https_listener:
+            try:
+                mem = amp_details["memory"]
+                # Account for 32 KB per established connection for each
+                # pair of HAProxy network sockets. Use 1024 as fallback
+                # because that is what ulimit -n typically returns.
+                max_conn_mem_kb = 32 * loadbalancer.get(
+                    "global_connection_limit", 1024)
+                # Use half of the remaining memory for SSL caches
+                ssl_cache_mem_kb = (mem["free"] + mem["buffers"] +
+                                    mem["cached"] - max_conn_mem_kb) // 2
+                # A cache block uses about 200 bytes of data.
+                # The HAProxy default of ssl_cache (20000) would take up
+                # 4000 KB. We don't want to go below that.
+                if ssl_cache_mem_kb > 4000:
+                    jinja_dict["ssl_cache"] = ssl_cache_mem_kb * 5
+            except (KeyError, TypeError):
+                pass
+
         return self._get_template().render(
             jinja_dict, constants=constants, lib_consts=lib_consts)
 

octavia/common/jinja/haproxy/combined_listeners/templates/base.j2

@@ -26,6 +26,9 @@ global
     {% if loadbalancer.global_connection_limit is defined %}
     maxconn {{ loadbalancer.global_connection_limit }}
     {% endif %}
+    {% if ssl_cache is defined %}
+    tune.ssl.cachesize {{ ssl_cache }}
+    {% endif %}
     {%- if cpu_count is defined and cpu_count > 1 %}
     nbthread {{ cpu_count - 1 }}
     cpu-map auto:1/1-{{ cpu_count - 1 }} 1-{{ cpu_count - 1 }}

releasenotes/notes/tweak-ssl-cachesize-6893851feed43975.yaml

@@ -0,0 +1,9 @@
+---
+other:
+  - |
+    When a HTTPS termination listener gets configured, Octavia will tweak the
+    HAProxy `tune.ssl.cachesize` setting to use about half of the available
+    memory (free + buffers + cached) on the amphora minus the memory needed
+    for network sockets based on the global max connections setting.
+    This allows to make better reuse of existing SSL sessions and
+    helps to lower the number of computationally expensive SSL handshakes.