2012/8/23 Claudio Jeker <cje...@diehard.n-r-g.com> > On Thu, Aug 23, 2012 at 12:17:04AM +0600, ???? ??????? wrote: > > Hello! > > > > > > we are running high load https server on OpenBSD, so there are questions > on > > performance: > > > > since we already had to increase kern.maxclusters value, I guess default > > OpenBSD settings are not very well for high load https server ? > > in order to protect our server from denial of service, we can either > > > > a) increase kern.maxclusters to some huge value > > It is OK to increase kern.maxclusters, the default is good enough for 90% > of the people but some systems need more. Calculate how much memory will > be consumed by the clusters and compare it to the free memory reported by > top. You don't want to run userland out of memory by buffering in the > kernel. On the other hand you want enough maxclusters to make the system > run smoothly. >
so, there's no harm in huge kern.maxcluster values ? (until I keep enough memory for userland) > > > b) turn on syn proxy in PF > > Syn proxy will only protect you from syn attacks. For this there is also > the syn cache used by the network stack. The syn cache will only allocate > a full PCB when the handshake completed so it behaves similar to the syn > proxy in PF. > is syn cache enabled by default ? am I right that syn cache does "almost the same" as syn proxy ? > > > does someone have experience with such high load applications and tell me > > pro et contra for each solution? > > why syn proxy is not enabled by default ? > > Because it has bad side-effects. Like accepting a connection before the > actual server accepted it. So it is hard to signal closed ports back. > any other side-effect ? > > -- > :wq Claudio
