-
Notifications
You must be signed in to change notification settings - Fork 771
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increase default MAX_SESS_STKCTR or provide a way to change it after build time #1565
Comments
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Please elaborate and explain your exact use case with a concrete example beyond "too low for complex setups". This is a feature/change request, explaining the context is necessary to understand the situation. |
edited with as much information as i can share, i hope it's enough |
I really am not in favor of changing the default value because it increases both memory usage and CPU usage per request for every single user only for very rare niche use cases. I'm aware of some users exploiting this to its maximum to build DDoS protection infrastructure, but I consider that when you're going down that route you can afford to build your LB yourself with your optimal settings. The essential question is: why do you really need more than 3 keys ? 3 allows for example to have counters per src, counters per URL and counters per src+url, which usually are what most users deal with. Since 2.5 you have arrays of up to 100 GPC/GPT for a single tracked key, which means up to 300 metrics per request involving up to 3 different keys without having to rebuild. Unless you can prove that you have a very compelling case that would serve the vast majority of the user base which is not covered by this, I'd prefer not to change this. Another option is that if you think your use case is closely related to the use of your distro, you may turn to the distro to negotiate a change of the default value in their packages. |
I was originally going to send this as a question on the mailing list, good to see it here While SCxGPC provides enough cardinality, stick-tables have a large advantage in that they directly translate into (limited, but still) prometheus metrics.
This is correct in my experience, however it misses the fact that you are then dedicating all of your counters to DDoS handling (in our case, progressively stricter bucketing of malicious sources). Once these are all exhausted, you're a bit out of luck for monitoring miscellaneous things (protocol versions, ciphers, ...). That said, all of this can be somewhat worked around by way of the admin API and SCxGPC, but that means a somewhat significant extra piece of software+processing, which isn't quite ideal That said this is certainly overall niche and
Definitely not a worthy tradeoff to change the default in general then indeed... If it's not too specific to use-cases, how bad is it CPU-wise to increase it on our own build. As in, is the order of magnitude of the impact a fraction-of-a-% of CPU core or more significant? (the memory use of haproxy is insignificant enough that it doesn't matter to us even if it doubled to be honest) |
It's only within the percent. We're doing it in the enterprise packages because a few users want this and we're not going to ask them to rebuild. Thus it's totally manageable for local builds. You can't go higher than 10 because the command parser relies on a single digit after |
I see, thanks for clarifying that. As for the ugly configs... The fancy DDoS setups are indeed not pretty (however there are not many other choices except hiding behind CF like everyone else but that's another topic). Anyway, for that purpose I agree 3 SCs works well enough as you mentioned. I don't know exactly how others want to (ab)use more SCs, but here I am mostly interested in snippets like so: acl proto_ssl_tlsv12 ssl_fc_protocol -m str -i TLSv1.2
acl proto_ssl_tlsv13 ssl_fc_protocol -m str -i TLSv1.3
http-request track-sc2 src table st_proto_tls12 if proto_ssl_tlsv12
http-request track-sc2 src table st_proto_tls13 if proto_ssl_tlsv13 then
for quickly monitoring the occasional few things I'm interested in that aren't part of the default metricset, but are ACL-able otherwise Eventually I'll probably give up and use some intermediate piece of code using the admin socket and specific GPCs but... I don't hate this workaround enough for that yet 😄 (especially considering I'd still need some sc-inc-gpcN anyway) |
That's typically an example where you could even have used a single table and a single track-sc. Just a few examples:
These are not necessarily prettier, but that's just to illustrate that there are various possibilities already even without changing the number of stick pointers. |
Indeed that would have been my first idea, but then those aren't prometheus metrics without me writing an extra piece of software to extract it either via the admin or dataplane api, alas... But long term those are definitely the right approach for this yes |
I have also encountered setups where the The performance impact can't be that bad as HAPEE has also set it to 12 by default. |
Actually it is now a tunable, since I think sometime during 2.8? https://docs.haproxy.org/2.8/configuration.html#3.2-tune.stick-counters |
For memory usage reasons it used to be just an array inside a structure, and it was not reasonable to have a large array for everyone given how rare such users are. For HAPEE it's different, the list of supported systems is narrower and users are expected to have large servers and lots of RAM. Regardless, the previous limit of 12 was still considered too low by a few users who needed much more, to a point that we didn't consider reasonable even for other users, so we finally moved that out of the struct and made it dynamically allocated so that everyone sets their limit according to their RAM (and slightly increased CPU usage as well when scanning all of these). |
Good to hear 👍 |
Your Feature Request
The current default value of 3 for
MAX_SESS_STKCTR
is quite low while dealing with a complex setup.There are also situations where you cannot easily build haproxy yourself without a lot of additional overhead.
My current setup uses haproxy to rate-limit requests by tracking request rate using source ips as keys in stick-tables
i have stick-tables defined as dummy backends and in each one of them i track counters with
tcp-request connection track-scX
orhttp-request track-scX
then based on a few acls i decide which backend needs to be used or what needs to be done to that request/connection
this works perfectly fine but i've reached a point where i need to add more rate limiting based on
base32+src
/url32+src
and here comes the issue withMAX_SESS_STKCTR
in order to achieve what i need i have the following options
MAX_SESS_STKCTR
, this one is indeed an option but given that i use the haproxy-ingress controller (it's based on thehaproxy:alpine
image) on k8s that brings to the table quite a lot of challenges and would require a lot more effort to maintainI hope this information is enough to at least get the idea of why i'd like to have more flexibility on this and decided to open this issue, i cannot share the actual haproxy configuration
My suggestion would be to either increase the default value or even better provide a way for it to be changed after build time, like in a global config or something like that
What are you trying to do?
Track more than 3 counters without building haproxy from source
Output of
haproxy -vv
The text was updated successfully, but these errors were encountered: