Dear Lukas, Willy, Please find another patch attached, addressing your comments.
Willy: s/gcc/glibc/ Lukas: I shifted the focus on the rounds/cost solution, while still mentioning the musl issue, as this problem is clearly more visible on Alpine Linux, as the github issues show. Cheers, ~Nico
>From 005baaf717fc3e345ff02e9adcbfe169ae17dfb7 Mon Sep 17 00:00:00 2001 From: Nicolas CARPi <nico-git@deltablot.email> Date: Mon, 12 Feb 2024 18:03:52 +0100 Subject: [PATCH] DOC/MINOR: userlists: mention solutions to high cpu with hashes This change adds a paragraph to the documentation regarding "userlists" and the use of hashed password value. It indicates what a user can do to address the high CPU cost of having to calculate the hash at each request, such as reducing the number of rounds or the cost complexity, if the algorithm allows for it. I believe it is necessary to mention how the musl C library impacts performance of hashing functions, as this has already led to a few issues: https://github.com/haproxy/haproxy/issues/1298 https://github.com/haproxy/haproxy/issues/2008 https://github.com/haproxy/haproxy/issues/2251 The performance impact is significant enough to mention it. --- doc/configuration.txt | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 937d2a4b7..2eef819e2 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -3992,7 +3992,15 @@ user <username> [password|insecure-password <password>] designed to be expensive to compute to achieve resistance against brute force attacks. They do not simply salt/hash the clear text password once, but thousands of times. This can quickly become a major factor in HAProxy's - overall CPU consumption! + overall CPU consumption, and can even lead to application crashes! + + To address the high CPU usage of hash functions, one approach is to reduce + the number of rounds of the hash function (SHA family algorithms) or decrease + the "cost" of the function, if the algorithm supports it. + + As a side note, musl (e.g. Alpine Linux) implementations are known to be + slower than their glibc counterparts when calculating hashes, so you might + want to consider this aspect too. Example: userlist L1 -- 2.43.0
