Acasă Explorează Ajutor
Autentificare
cturan
/
3proxy
1
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Arbore: 4d3062c62a
Ramuri Etichete
3proxy
/
doc
/
html
/
highload.html

highload.html 6.3 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117 
  1. <h3>Optimizing 3proxy for high load</h3>
    2. 

  2. <p>Precaution 1: 3proxy was not initially developed for high load and is positioned as a SOHO product, the main reason is "one connection - one thread" model 3proxy uses. 3proxy is known to work with above 200,000 connections under proper configuration, but use it in production environment under high loads at your own risk and do not expect too much.
    3. 

  3. <p>Precaution 2: This documentation is incomplete and is not sufficient. High loads may require very specific system tuning including, but not limited to specific or cusomized kernels, builds, settings, sysctls, options, etc. All this is not covered by this documentation.
    4. 

  4. <h4>Configuring 'maxconn'</h4>
    5. 

  5. A number of simulatineous connections per service is limited by 'maxconn' option.
    6. 

  6. Default maxconn value since 3proxy 0.8 is 500. You may want to set 'maxconn'
    7. 

  7. to higher value. Under this configuration:
    8. 

  8. <pre>
    9. 

  9. maxconn 1000
    10. 

  10. proxy -p3129
    11. 

  11. proxy -p3128
    12. 

  12. socks
    13. 

  13. </pre>
    14. 

  14. maxconn for every service is 1000, and there are 3 services running
    15. 

  15. (2 proxy and 1 socks), so, for all services there can be up to 3000
    16. 

  16. simulatineous connections to 3proxy.
    17. 

  17. <p>Avoid setting 'maxconn' to arbitrary high value, it should be carefully
    18. 

  18. choosen to protect system and proxy from resources exhaution. Setting maxconn
    19. 

  19. above resources available can lead to denial of service conditions.
    20. 

  20. <h4>Understanding resources requirements</h4>
    21. 

  21. Each running service require:
    22. 

  22. <ul>
    23. 

  23. <li>1*thread (process)
    24. 

  24. <li>1*socket (file descriptor)
    25. 

  25. <li>1 stack memory segment + some heap memory, ~64K-128K depending on the system
    26. 

  26. </ul>
    27. 

  27. Each connected client require:
    28. 

  28. <ul>
    29. 

  29. <li>1*thread (process)
    30. 

  30. <li>2*socket (file descriptor). For FTP 4 sockets are required.
    31. 

  31. <br>1 additional socket (file descriptor) during name resolution for non-cached names
    32. 

  32. <br>1 additional socket during authentication or logging for RADIUS authentication or logging.
    33. 

  33. <li>1*ephemeral port (3*ephemeral ports for FTP connection).
    34. 

  34. <li>1 stack memory segment of ~32K-128K depending on the system + at least 16K and up to few MB (for 'proxy' and 'ftppr') of heap memory. If you are short of memory, prefer 'socks' to 'proxy' and 'ftppr'.
    35. 

  35. </ul>
    36. 

  36. Also, additional resources like system buffers are required for network activity.
    37. 

  37. <h4>Setting ulimits</h4>
    38. 

  38. Hard and soft ulimits must be set above calculated requirements. Validate
    39. 

  39. ulimits match your expectation, especially if you run 3proxy under dedicated account
    40. 

  40. by adding e.g.
    41. 

  41. <pre>
    42. 

  42. system "ulimit -Ha >>/tmp/3proxy.ulim.hard"
    43. 

  43. system "ulimit -Sa >>/tmp/3proxy.ulim.soft"
    44. 

  44. </pre>
    45. 

  45. in the beginning (before first service started) and the end of config file.
    46. 

  46. Make both hard restart (that is kill and start 3proxy process) and soft restart
    47. 

  47. by sending SIGUSR1 to 3proxy process, check ulimits recorded to files match your
    48. 

  48. expecation.
    49. 

  49. <h4>Extending system limitation</h4>
    50. 

  50. Check manuals / documentation for your system limitations. You may need to change
    51. 

  51. sysctls or even rebuild the kernel from source.
    52. 

  52. <h4>Extending ephemeral port range</h4>
    53. 

  53. Check ephemeral port range for your system and extend it to reuired number of ports.
    54. 

  54. Ephimeral range is always limited to maximum number of ports (64K). To extend
    55. 

  55. outgoing connections above this limis, extending ephemeral port range is not enough,
    56. 

  56. you need additional actions:
    57. 

  57. <ol>
    58. 

  58. <li> Configure multiple outgoing IPs
    59. 

  59. <li> Make sure 3proxy is configured to use different outgoing IP by either using
    60. 

  60. multiple services with different external interfaces or via "parent extip" rotation.
    61. 

  61. <li> You may need additional system dependant actions to use same port on different IPs,
    62. 

  62. usually by adding SO_REUSEADDR socket option to external socket. This option can be
    63. 

  63. set (since 0.9 devel) with -osSO_REUSEADDR option:
    64. 

  64. <pre>
    65. 

  65. proxy -p3128 -e1.2.3.4 -osSO_REUSEADDR
    66. 

  66. </pre>
    67. 

  67. </ol>
    68. 

  68. <h4>Setting stacksize</h4>
    69. 

  69. 'stacksize' is a size added to all stack allocations and can be both positive and
    70. 

  70. negative. Stack is required in functions call. 3proxy itself doesn't require large
    71. 

  71. stack, but it can be required if some
    72. 

  72. purely-written libc, 3rd party libraries or system functions called. There is known\
    73. 

  73. dirty code in Unix ODBC
    74. 

  74. implementations, build-in DNS resolvers, especially in the case of IPv6 and large
    75. 

  75. number of interfaces. Under most 64-bit system extending stacksize will lead
    76. 

  76. to additional memory space usage, but do not require actual commited memory,
    77. 

  77. so you can inrease stacksize to relatively large value (e.g. 1024000) without
    78. 

  78. the need to add additional phisical memory,
    79. 

  79. but it's system/libc dependant and requires additional testing under your
    80. 

  80. installation. Don't forget about memory related ulimts.
    81. 

  81. <p>For 32-bit systems address space can be a bottlneck you should consider. If
    82. 

  82. you're short of address space you can try to use negative stack size.
    83. 

  83. <h4>Known system issues</h4>
    84. 

  84. There are known race condition issues in Linux / glibc resolver. The probability
    85. 

  85. of race condition arises under configuration with IPv6, large number of interfaces
    86. 

  86. or IP addresses or resolvers configured. In this case, install local recursor and
    87. 

  87. use 3proxy built-in resolver (nserver / nscache / nscache6).
    88. 

  88. <h4>Avoid large lists</h4>
    89. 

  89. Currently, 3proxy is not optimized to use large ACLs, user lists, etc. All lists
    90. 

  90. are processed lineary. In devel version you can use RADIUS authentication to avoid
    91. 

  91. user lists and ACLs in 3proxy itself. Also, RADIUS allows to easily set outgoing IP
    92. 

  92. on per-user basis or more sophisicated logics.
    93. 

  93. RADIUS is a new beta feature, test it before using in production.
    94. 

  94. <h4>Avoid changing configuration too often</h4>
    95. 

  95. Every configuration reload requires additional resources. Do not do frequent
    96. 

  96. changes, like users addition/deletaion via connfiguration, use alternative
    97. 

  97. authentication methods instead, like RADIUS.
    98. 

  98. <h4>Do not monitor configuration files directly</h4>
    99. 

  99. Using configuration file directly in 'monitor' can lead to race condition where
    100. 

  100. configuration is reloaded while file is being written.
    101. 

  101. To avoid race conditions:
    102. 

  102. <ol>
    103. 

  103. <li> Update config files only if there is no lock file
    104. 

  104. <li> Create lock file then 3proxy configuration is updated, e.g. with
    105. 

  105. "touch /some/path/3proxy/3proxy.lck"
    106. 

  106. <li>add
    107. 

  107. <pre>
    108. 

  108. system "rm /some/path/3proxy/3proxy.lck"
    109. 

  109. </pre>
    110. 

  110. at the end of config file to remove it after configuration is successfully loaded
    111. 

  111. <li> Use a dedicated version file to monitor, e.g.
    112. 

  112. <pre>
    113. 

  113. monitor "/some/path/3proxy/3proxy.ver"
    114. 

  114. </pre>
    115. 

  115. <li> After config is updated, change version file for 3proxy to reload configuration,
    116. 

  116. e.g. with "touch /some/path/3proxy/3proxy.ver".
    117. 

  117. </ol>
    118.