mirror of
https://github.com/haproxy/haproxy.git
synced 2026-03-23 02:43:39 -04:00
5d0f5f8168
This introduces 3 new settings: tune.h2.be.max-frames-at-once and tune.h2.fe.max-frames-at-once, which limit the number of frames that will be processed at once for backend and frontend side respectively, and tune.h2.fe.max-rst-at-once which limits the number of RST_STREAM frames processed at once on the frontend. We can now yield when reading too many frames at once, which allows to limit the latency caused by processing too many frames in large buffers. However if we stop due to the RST budget being depleted, it's most likely the sign of a protocol abuse, so we make the tasklet go to BULK since the goal is to punish it. By limiting the number of RST per loop to 1, the SSL response time drops from 95ms to 1.6ms during an H2 RST flood attack, and the maximum SSL connection rate drops from 35.5k to 28.0k instead of 11.8k. A moderate SSL load that shows 1ms response time and 23kcps increases to 2ms with 15kcps versus 95ms and 800cps before. The average loop time goes down from 270-280us to 160us, while still doubling the attack absorption rate with the same CPU capacity. This patch may usefully be backported to 3.3 and 3.2. Note that to be effective, this relies on the following patches: MEDIUM: sched: do not run a same task multiple times in series MINOR: sched: do not requeue a tasklet into the current queue MINOR: sched: do not punish self-waking tasklets anymore MEDIUM: sched: do not punish self-waking tasklets if TASK_WOKEN_ANY MEDIUM: sched: change scheduler budgets to lower TL_BULK |
||
|---|---|---|
| .. | ||
| design-thoughts | ||
| internals | ||
| lua-api | ||
| 51Degrees-device-detection.txt | ||
| acl.fig | ||
| coding-style.txt | ||
| configuration.txt | ||
| cookie-options.txt | ||
| DeviceAtlas-device-detection.txt | ||
| gpl.txt | ||
| haproxy.1 | ||
| HAProxyCommunityEdition_60px.png | ||
| haterm.txt | ||
| intro.txt | ||
| lgpl.txt | ||
| linux-syn-cookies.txt | ||
| lua.txt | ||
| management.txt | ||
| netscaler-client-ip-insertion-protocol.txt | ||
| network-namespaces.txt | ||
| peers-v2.0.txt | ||
| peers.txt | ||
| proxy-protocol.txt | ||
| queuing.fig | ||
| regression-testing.txt | ||
| seamless_reload.txt | ||
| SOCKS4.protocol.txt | ||
| SPOE.txt | ||
| WURFL-device-detection.txt | ||
