> Could you please test if compiling with
> --with-cc-opt="-DNGX_HAVE_EPOLLEXCLUSIVE=0"
> improves things, notably on production systems? In my limited
> testing it seems to be improve things, and if this is indeed the
> case, we can consider removing use of EPOLLEXCLUSIVE.
I can try this tomorrow, but did you see the link Jan posted to the cloudflare blog?
https://blog.cloudflare.com/the-sad-state-of-linux-socket-balancing/
This explains the problem we're seeing exactly and why reuseport fixes it.
> > As you can see, without the reuseport option, this causes severe
> > scalability problems for us.
>
> I tend to think that reuseport is a bad option for load balancing
> between worker processes, as it can be easily tricked by an outside
> actor to select a particular worker process, and this opens an
> obvious DoS attack vector.
Really? Can you explain how this is possible?
Also given that cloudflare use this option, and I expect cloudflare are literally the largest users of nginx in the world and also have to deal with extreme adversarial environments given they run a service to protect against DDoS, I would expect they would be aware of any potential DoS vector in this regard, or if not aware, extremely interested in hearing about it!
--
Rob Mueller
robm@fastmail.fm
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
