Hi Dnia 2010-02-25, czw o godzinie 15:35 -0800, David Birdsong pisze: > On Thu, Feb 25, 2010 at 12:48 AM, Willy Tarreau <w...@1wt.eu> wrote: > > Hi David, > > > > On Wed, Feb 24, 2010 at 06:06:26PM -0800, David Birdsong wrote: > >> I'm autogenerating haproxy configs on some of our front ends and > >> appending a growing set of IP addresses that we'll ban. Does this > >> scale well in haproxy? Can I expect performance to drop as the list > >> grows and grows or is this implemented in a way that scales pretty > >> horizontally? > > > > Yes the performance will drop but not *that* much, because IP ACLs > > check is quite fast. Just put as many IPs per line as you can. > > > > I have plans to load IP ranges from a file and to perform dichotomic > > search on them (which will be even faster than tree search due to > > lower memory footprint). It would make it possible to load millions > > of IP addresses without a noticeable performance degradation. It's > > just not there yet. > > > > I also plan to add ACL matches for stickiness tables. That will allow > > us to check using ACLs if an address was already added to a table. We > > first have to relax the conditions in which an address can be inserted. > > > > How many IP addresses do you intend to load, and how many requests > > per second do you estimate ? > right now there are 20 or so, but this i've automated their addition > to the config file and was wondering if this was something i could > forget about -clearly not. > > we had a bad referrer list that nobody paid attention to and it grew > to like 4k. our home grown lighttpd module was killing lighttpd's > performance comparing all requests against a 4,000 referrer list. > > these are uploads(posts) so rate is quite low. less than 100/sec.
U might try to use iptables + ipset instead. Tho according to manual there is 65535 IP limit per set. Also no need to restart haproxy for adding new IP's -- Mariusz Gronczewski (XANi) <xani...@gmail.com> GnuPG: 0xEA8ACE64 http://devrandom.pl
signature.asc
Description: To jest część wiadomości podpisana cyfrowo