HAProxy SSL 连接

我们正在使用HA-Proxy version 1.5.11 2015/01/31，从昨天开始我们注意到通过 https 对我们服务的所有请求都非常慢。从 Chrome 开发者控制台，我们可以看到以下时间：

Initial Connection 7.59s
SSL 6.42s

我们测试了套接字统计数据

# ss -s
Total: 2080 (kernel 2088)
TCP: 2674 (estab 2141, closed 433, orphaned 84, synrecv 0, timewait 433/0), ports 0

因此，可能远低于 65k 个端口。

以下是我们的 haproxy.cfg

# Global configuration
global
  log 127.0.0.1 local0 notice
  maxconn 50000
  stats socket /tmp/proxystats level admin
  tune.ssl.default-dh-param 2048
  #user deploy
  #group deploy
  #daemon
  tune.bufsize 32768

# Default configuration
defaults
  log global
  mode http
  option httplog
  option dontlognull
  stats enable
  stats uri /proxystats
  stats auth username:pass
  stats realm Haproxy\ Statistics
  stats refresh 5s
  timeout connect 120000
  timeout client 120000
  timeout server 120000
  option redispatch
  option forwardfor
  option http-server-close
  errorfile 500 /etc/haproxy/errors/503.http
  errorfile 502 /etc/haproxy/errors/503.http
  errorfile 503 /etc/haproxy/errors/503.http

# HTTP frontend configuration
frontend http
  mode http
  bind *:80
  #redirect scheme https if !{ ssl_fc }
  redirect prefix https://myservice.com code 301 if { hdr(host) -i myservice.com }
  acl www       hdr(host) -i www.myservice.com
  acl api       hdr(host) -i api.myservice.com
  acl browser   hdr(host) -i br-rx.myservice.com
  use_backend api_server if www
  use_backend api_server if api
  use_backend browser_receiver if browser


# HTTPs frontend configuration
frontend https
  mode http
  bind *:443 ssl crt <our .com pem> crt <second domain pem> crt <third domain pem>
  redirect prefix https://www.myservice.com code 301 if { hdr(host) -i myservice.com }
  use_backend api_server if { ssl_fc_sni www.myservice.com }
  use_backend api_server if { ssl_fc_sni api.myservice.com }
  use_backend browser_receiver if { ssl_fc_sni br-rx.myservice.com }

系统内的CPU和Memory正常。CPU 9.3%, MEM: 335MB

我们还可以在哪里开始寻找？