On Thu, Aug 23, 2012 at 12:17:04AM +0600, ???? ??????? wrote: > Hello! > > > we are running high load https server on OpenBSD, so there are questions on > performance: > > since we already had to increase kern.maxclusters value, I guess default > OpenBSD settings are not very well for high load https server ? > in order to protect our server from denial of service, we can either > > a) increase kern.maxclusters to some huge value
It is OK to increase kern.maxclusters, the default is good enough for 90% of the people but some systems need more. Calculate how much memory will be consumed by the clusters and compare it to the free memory reported by top. You don't want to run userland out of memory by buffering in the kernel. On the other hand you want enough maxclusters to make the system run smoothly. > b) turn on syn proxy in PF Syn proxy will only protect you from syn attacks. For this there is also the syn cache used by the network stack. The syn cache will only allocate a full PCB when the handshake completed so it behaves similar to the syn proxy in PF. > does someone have experience with such high load applications and tell me > pro et contra for each solution? > why syn proxy is not enabled by default ? Because it has bad side-effects. Like accepting a connection before the actual server accepted it. So it is hard to signal closed ports back. -- :wq Claudio
