[MediaWiki-commits] [Gerrit] tlsproxy: enable TCP Fast Open - change (operations/puppet)
Ema has submitted this change and it was merged.
Change subject: tlsproxy: enable TCP Fast Open
..
tlsproxy: enable TCP Fast Open
After enabling client/server TFO support in the kernel in 2b8b99d and
verifying that LVS does not interfere with the modifications to the 3WHS
introduced by TCP Fast Open, we are now ready to enable TFO support on
all tlsproxies.
We introduce a new hiera setting to limit the number of concurrent
pending TFO requests: tlsproxy::localssl::fastopen_pending_max. See RFC
7413 section 5.1 for an explanation of why this is needed.
The TCPFastOpenListenOverflow counter gets incremented every time an
inbound SYN packet with TFO gets treated as a non-TFO SYN because the
fastopen_pending_max threshold has been exceeded. We will keep an eye on
such counter and likely increase fastopen_pending_max as soon as client
adoption of TFO becomes significant.
Bug: T108827
Ref: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
Ref: https://tools.ietf.org/html/rfc7413#section-5.1
Ref: https://bradleyf.id.au/nix/shaving-your-rtt-wth-tfo/
Change-Id: I96e3b6f64d73346a7a6d94d475fcbbcdd071d5c0
---
M modules/tlsproxy/manifests/localssl.pp
M modules/tlsproxy/templates/localssl.erb
2 files changed, 7 insertions(+), 4 deletions(-)
Approvals:
Ema: Verified; Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/tlsproxy/manifests/localssl.pp
b/modules/tlsproxy/manifests/localssl.pp
index b318e8e..3ea355f 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -48,6 +48,9 @@
$varnish_version4 = hiera('varnish_version4', false)
$keepalives_per_worker =
hiera('tlsproxy::localssl::keepalives_per_worker', 0)
$websocket_support = hiera('cache::websocket_support', false)
+# Maximum number of pending TCP Fast Open requests before falling back to
+# regular 3WHS. https://tools.ietf.org/html/rfc7413#section-5.1
+$fastopen_pending_max = hiera('tlsproxy::localssl::fastopen_pending_max',
150)
# Ensure that exactly one definition exists with default_server = true
# if multiple defines have default_server set to true, this
diff --git a/modules/tlsproxy/templates/localssl.erb
b/modules/tlsproxy/templates/localssl.erb
index d4b0635..6b67bb9 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -9,8 +9,8 @@
# SSL proxying
server {
- listen [::]:443 <%= @default_server ? "default_server deferred
backlog=16384 reuseport ipv6only=on " : "" %>ssl http2;
- listen 443 <%= @default_server ? "default_server deferred backlog=16384
reuseport " : "" %>ssl http2;
+ listen [::]:443 <%= @default_server ? "default_server deferred
backlog=16384 reuseport ipv6only=on " : "" %>ssl http2 fastopen=<%=
@fastopen_pending_max %>;
+ listen 443 <%= @default_server ? "default_server deferred backlog=16384
reuseport " : "" %>ssl http2 fastopen=<%= @fastopen_pending_max %>;
ssl on;
server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
@@ -62,8 +62,8 @@
}
<% if @redir_port -%>
server {
- listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on " : "" %>;
- listen <%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport " : "" %>;
+ listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on " : "" %> fastopen=<%=
@fastopen_pending_max %>;
+ listen <%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport " : "" %> fastopen=<%= @fastopen_pending_max %>;
server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
error_log /var/log/nginx/<%= @name %>.error.log;
--
To view, visit https://gerrit.wikimedia.org/r/295783
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I96e3b6f64d73346a7a6d94d475fcbbcdd071d5c0
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ema
Gerrit-Reviewer: BBlack
Gerrit-Reviewer: Ema
Gerrit-Reviewer: Muehlenhoff
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] tlsproxy: enable TCP Fast Open - change (operations/puppet)
Ema has uploaded a new change for review.
https://gerrit.wikimedia.org/r/295783
Change subject: tlsproxy: enable TCP Fast Open
..
tlsproxy: enable TCP Fast Open
After enabling client/server TFO support in the kernel in 2b8b99d and
verifying that LVS does not interfere with the modifications to the 3WHS
introduced by TCP Fast Open, we are now ready to enable TFO support on
all tlsproxies.
We introduce a new hiera setting to limit the number of concurrent
pending TFO requests: tlsproxy::localssl::fastopen_pending_max. See RFC
7413 section 5.1 for an explanation of why this is needed.
The TCPFastOpenListenOverflow counter gets incremented every time an
inbound SYN packet with TFO gets treated as a non-TFO SYN because the
fastopen_pending_max threshold has been exceeded. We will keep an eye on
such counter and likely increase fastopen_pending_max as soon as client
adoption of TFO becomes significant.
Bug: T108827
Change-Id: I96e3b6f64d73346a7a6d94d475fcbbcdd071d5c0
Ref: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
Ref: https://tools.ietf.org/html/rfc7413#section-5.1
Ref: https://bradleyf.id.au/nix/shaving-your-rtt-wth-tfo/
---
M modules/tlsproxy/manifests/localssl.pp
M modules/tlsproxy/templates/localssl.erb
2 files changed, 7 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/83/295783/1
diff --git a/modules/tlsproxy/manifests/localssl.pp
b/modules/tlsproxy/manifests/localssl.pp
index b318e8e..3ea355f 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -48,6 +48,9 @@
$varnish_version4 = hiera('varnish_version4', false)
$keepalives_per_worker =
hiera('tlsproxy::localssl::keepalives_per_worker', 0)
$websocket_support = hiera('cache::websocket_support', false)
+# Maximum number of pending TCP Fast Open requests before falling back to
+# regular 3WHS. https://tools.ietf.org/html/rfc7413#section-5.1
+$fastopen_pending_max = hiera('tlsproxy::localssl::fastopen_pending_max',
150)
# Ensure that exactly one definition exists with default_server = true
# if multiple defines have default_server set to true, this
diff --git a/modules/tlsproxy/templates/localssl.erb
b/modules/tlsproxy/templates/localssl.erb
index d4b0635..589956b 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -9,8 +9,8 @@
# SSL proxying
server {
- listen [::]:443 <%= @default_server ? "default_server deferred
backlog=16384 reuseport ipv6only=on " : "" %>ssl http2;
- listen 443 <%= @default_server ? "default_server deferred backlog=16384
reuseport " : "" %>ssl http2;
+listen [::]:443 <%= @default_server ? "default_server deferred
backlog=16384 reuseport ipv6only=on " : "" %>ssl http2 fastopen=<%=
@fastopen_pending_max %>;
+listen 443 <%= @default_server ? "default_server deferred backlog=16384
reuseport " : "" %>ssl http2 fastopen=<%= @fastopen_pending_max %>;
ssl on;
server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
@@ -62,8 +62,8 @@
}
<% if @redir_port -%>
server {
- listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on " : "" %>;
- listen <%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport " : "" %>;
+listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on " : "" %> fastopen=<%=
@fastopen_pending_max %>;
+listen <%= @redir_port %> <%= @default_server ? "default_server deferred
backlog=4096 reuseport " : "" %> fastopen=<%= @fastopen_pending_max %>;
server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
error_log /var/log/nginx/<%= @name %>.error.log;
--
To view, visit https://gerrit.wikimedia.org/r/295783
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I96e3b6f64d73346a7a6d94d475fcbbcdd071d5c0
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ema
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
