Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tuning for HTTP
Willy Tarreau <w@1wt.eu> Mon, 07 March 2016 07:01 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F26071B354F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 6 Mar 2016 23:01:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Kx7RuPiFx5Q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 6 Mar 2016 23:01:21 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F27491B354D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 6 Mar 2016 23:01:20 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1acp5G-0006Co-5J for ietf-http-wg-dist@listhub.w3.org; Mon, 07 Mar 2016 06:56:02 +0000
Resent-Date: Mon, 07 Mar 2016 06:56:02 +0000
Resent-Message-Id: <E1acp5G-0006Co-5J@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <w@1wt.eu>) id 1acp59-0006By-3V for ietf-http-wg@listhub.w3.org; Mon, 07 Mar 2016 06:55:55 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by lisa.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1acp57-0004mx-DC for ietf-http-wg@w3.org; Mon, 07 Mar 2016 06:55:54 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id u276tRIY011206; Mon, 7 Mar 2016 07:55:27 +0100
Date: Mon, 07 Mar 2016 07:55:27 +0100
From: Willy Tarreau <w@1wt.eu>
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20160307065527.GA11185@1wt.eu>
References: <20160305062609.E5D46209A@welho-filter1.welho.com> <20160305072653.GA31072@1wt.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201603050831.u258VCO2015766@shell.siilo.fmi.fi>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-7.0
X-W3C-Hub-Spam-Report: AWL=0.926, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1acp57-0004mx-DC bee8d73ddcc5379e455ab6584087c32f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tuning for HTTP
Archived-At: <http://www.w3.org/mid/20160307065527.GA11185@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31208
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
[ I thought you also forwarded my response to the list but it seems not, so here it comes again, please keep the list CCed in future conversations, that's useful for everyone ] On Sat, Mar 05, 2016 at 08:26:53AM +0100, Willy Tarreau wrote: > Hello Kari, > > On Sat, Mar 05, 2016 at 08:26:27AM +0200, Kari Hurtta wrote: > > > > ( not posted to list ) > > > > https://lists.w3.org/Archives/Public/ietf-http-wg/2016JanMar/0330.html > > > > > What 17-year old wheels ? The only one I know about consists in patching > > > kernels to force shorter timewaits in order not to block outgoing > > > connections when the rate approaches 1000/s. Until we have 32 bits for > > > the source port, these are the only two options. At some point one must > > > not wonder why more and more the transport is migrating to userland :-/ > > > > > > Not actually, if talk is about reverse-proxy which sits front > > of web server pool. > > > > These two are not ONLY options. > > > > One possiblity: (which certain devices uses) > > > > * Do not "nat" connection from reverse proxy to webserver to > > proxy's local address. Instead use same source address on that > > connection than what was on http -request which reverse > > proxy reserved from client. > > > > In that may there equal number (or bigger number) of available > > (source address, source port, target address, target port) > > tupples than what was on client which sent request to > > reverse proxy (*). > > Yes but this is limited to very few deployment scenarios, where > the reverse proxy can be installed in cut-through between all > the clients and the servers. This type of deployment is very > rare nowadays because applications look more like a set of > components which all interact together and which have to pass > through the LB as well to reach another server on the same LAN, > possibly coming back to the same machine. > > This is not usable in cloud environments (flat networks), with > CDNs (remote proxies) nor in all environments where the proxies > are more application servers than infrastructure components and > which do not run with root priviledges. > > > Web servers neeed to be default route (for connections > > received to that interface which sits on network between > > reverse proxy and webserver) to poit to reverse proxy. > > Yep definitely. Also there's another issue which comes with > doing this, it's that you have to have as short a TIME_WAIT > timeout as your shorter client's, otherwise some clients will > not get the reverse-proxy to forward their connection to the > server as it will act as sort of a "time-wait amplifier", > keeping these states longer than the client. > > > Reverse proxy need to able open TCP connection whit > > any source address (not just local address). > > > > Actually from this there is variations: > > > > # reuse connection from proxy to web server for several > > http request. On that situation web server does not > > see original source address address of client (but > > instead of some unrelated client -- this have some > > affects to access control) > > This is a no-go in most environments, especially when it comes > to logging or DoS/brute-force protection. Also many proxy to > server connection cannot safely be shared between incoming > clients because normally you should only send an idempotent > request over pre-existing connections if it's the first one > of this connection, since the proxy is not allowed to replay > non-idempotent ones and the client will not replay the first > one on failure. And some protocols do not allow connections > to be shared. For example, SSL advertises the SNI or presents > the client's cert during the handshake. That connection sort > of becomes "private" at this point. > > > # "Nat" source address, but use pool of source addresses > > instead. If you use say 500 different source address, > > then you quite many available (source address, > > source port, target address, target port), so you can > > handle to 500 * 1000 connections per second from > > reverse proxy to webserver. > > That's what is done in environments which need more than 64k > connections per server, but you'll agree that it's an aberration > to consume a lot of internet addresses that remain unused most > of the time just to work around a timing issue! > > > You can guess what reverse proxy product uses these > > kind solutions. Perhaps there is also others. > > Oh yes I know quite well what type of proxy supports this, as I > have implemented this type of transparent proxying into haproxy. > However I note that while it was an absolute requirement about > 5 years ago for various deployment situations, nowadays we don't > see any more demand for this nor situations where it can still > be deployed since networks are less hierarchical and flatter > with some DMZ. The *only* remaining case is SMTP/IMAP, and even > some SMTP servers have implemented haproxy's proxy protocol to > get rid of the shortcomings of transparent proxying. > > > So it is not that you have only two options. > > Absolutely, your points should also be noted in the doc, it's > too bad you didn't post to the list :-) > > Regards, > Willy >
- Call for Adoption: TCP Tuning for HTTP Mark Nottingham
- Re: Call for Adoption: TCP Tuning for HTTP Willy Tarreau
- Re: Call for Adoption: TCP Tuning for HTTP Tim Wicinski
- Re: Call for Adoption: TCP Tuning for HTTP Cory Benfield
- Re: Call for Adoption: TCP Tuning for HTTP Thomas Mangin
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: Call for Adoption: TCP Tuning for HTTP Scharf, Michael (Nokia - DE)
- Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tuning… Joe Touch
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Joe Touch
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Joe Touch
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Joe Touch
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Joe Touch
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Patrick McManus
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Joe Touch
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Joe Touch
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Patrick McManus
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: [tcpm] Call for Adoption: TCP Tuning for HTTP Mark Nottingham
- Re: [tcpm] Call for Adoption: TCP Tuning for HTTP Tim Wicinski
- Re: [tcpm] Call for Adoption: TCP Tuning for HTTP Willy Tarreau
- [Reposted to list] Re: Fwd: Re: [tcpm] FW: Call f… Kari Hurtta
- Re: [tcpm] Call for Adoption: TCP Tuning for HTTP Ben Niven-Jenkins
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Yoshifumi Nishida
- Re: [tcpm] Call for Adoption: TCP Tuning for HTTP Willy Tarreau
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Yoshifumi Nishida
- RE: Call for Adoption: TCP Tuning for HTTP Salvatore Loreto
- RE: Call for Adoption: TCP Tuning for HTTP Daniel Stenberg
- Re: Call for Adoption: TCP Tuning for HTTP Leif Hedstrom
- Re: Call for Adoption: TCP Tuning for HTTP Amos Jeffries
- Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tu… Willy Tarreau
- Re: Call for Adoption: TCP Tuning for HTTP Leif Hedstrom
- Re: Call for Adoption: TCP Tuning for HTTP Joe Touch
- Re: Call for Adoption: TCP Tuning for HTTP Matthew Kerwin
- RE: Call for Adoption: TCP Tuning for HTTP Daniel Stenberg
- RE: Call for Adoption: TCP Tuning for HTTP Daniel Stenberg