> Could you please test if compiling with > --with-cc-opt="-DNGX_HAVE_EPOLLEXCLUSIVE=0" > improves things, notably on production systems? In my limited > testing it seems to be improve things, and if this is indeed the > case, we can consider removing use of EPOLLEXCLUSIVE.
I can try this tomorrow, but did you see the link Jan posted to the cloudflare blog? https://blog.cloudflare.com/the-sad-state-of-linux-socket-balancing/ This explains the problem we're seeing exactly and why reuseport fixes it. > > As you can see, without the reuseport option, this causes severe > > scalability problems for us. > > I tend to think that reuseport is a bad option for load balancing > between worker processes, as it can be easily tricked by an outside > actor to select a particular worker process, and this opens an > obvious DoS attack vector. Really? Can you explain how this is possible? Also given that cloudflare use this option, and I expect cloudflare are literally the largest users of nginx in the world and also have to deal with extreme adversarial environments given they run a service to protect against DDoS, I would expect they would be aware of any potential DoS vector in this regard, or if not aware, extremely interested in hearing about it! -- Rob Mueller [email protected] _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
