The slides deck from the talk "Web acceleration mechanics" at SCALE 18x (https://www.socallinuxexpo.org/scale/18x/presentations/web-acceleration-mechanics) covering following topics on examples of Nginx, Varnish, Apache Traffic Server, HAProxy, H2O, and Tempesta FW:
1. How client and backend server connections are managed;
2. HTTP message queues and backend server connections failovering in HTTP standards and proxy implementations, and security implications;
3. How HTTP/1.x, HTTP/2, and HTTP/3 (QUIC) decoders and parsers interact to each other;
4. HPACK and QPACK compression from HTTP/2 and HTTP/3 (QUIC) and when it hurts performance;
5. What and how HTTP allows to cache;
6. Different caching architectures: mmap(), file cache, and a database;
7. Network I/O and TLS optimizations available in some web accelerators and modern Linux kernels.
The DNSSEC key signing key (or KSK) of the DNS root zone will be changed in the summer of 2017. During the time between July and October, all DNSSEC validating resolver need to get the new key material.
In this webinar we explain the KSK roll, how DNS resolver will load the new KSK with the RFC 5011 protocol and how a DNS administrator can verify that the new KSK is present in the resolvers configuration.
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
HAProxy, the world’s fastest and most widely-used software load balancer, was first released in December 2001. The load balancer landscape has changed significantly since then. Yet HAProxy, with 17 years of active development under its belt, has continued to evolve and innovate. Now, we're announcing the release of HAProxy 1.9.
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
The DNSSEC key signing key (or KSK) of the DNS root zone will be changed in the summer of 2017. During the time between July and October, all DNSSEC validating resolver need to get the new key material.
In this webinar we explain the KSK roll, how DNS resolver will load the new KSK with the RFC 5011 protocol and how a DNS administrator can verify that the new KSK is present in the resolvers configuration.
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
HAProxy, the world’s fastest and most widely-used software load balancer, was first released in December 2001. The load balancer landscape has changed significantly since then. Yet HAProxy, with 17 years of active development under its belt, has continued to evolve and innovate. Now, we're announcing the release of HAProxy 1.9.
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
In this installment of the Men & Mice webinar series, Mr. Carsten Strotmann will talk about the role that DNS plays in fighting malware and spam.
The discussion will dig into DNS blacklists, domain reputation, Response Policy Zones and how the new TLDs have changed the game.
Load Balancing MySQL with HAProxy - SlidesSeveralnines
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
How To Set Up SQL Load Balancing with HAProxy - SlidesSeveralnines
We continuously see great interest in MySQL load balancing and HAProxy, so we thought it was about time we organised a live webinar on the topic! Here is the replay of that webinar!
As most of you will know, database clusters and load balancing go hand in hand.
Once your data is distributed and replicated across multiple database nodes, a load balancing mechanism helps distribute database requests, and gives applications a single database endpoint to connect to.
Instance failures or maintenance operations like node additions/removals, reconfigurations or version upgrades can be masked behind a load balancer. This provides an efficient way of isolating changes in the database layer from the rest of the infrastructure.
In this webinar, we cover the concepts around the popular open-source HAProxy load balancer, and show you how to use it with your SQL-based database clusters. We also discuss HA strategies for HAProxy with Keepalived and Virtual IP.
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
This talk will demonstrate the importance and value for Managed Service Providers (MSPs) and cloud providers of building their business models around the management of containers. It will also explore the various container technologies being used today and why one might be utilized over another. The object is not to give a technical discussion on the subject, but rather to cover the benefits of Linux containers and how their use can be incorporated into strategies for future business planning and development.
October 14 2009 New York Web Performance Group Session.
Rusty Conover is talking about his experience at InfoGears building Content Delivery Network (CDN) on top of Amazon EC2
Delivering High Performance Websites with NGINXNGINX, Inc.
NGINX Plus is an easy-to-install, proven software solution to deliver your sites and applications through state-of-the-art intelligent load balancing and high performance acceleration. Improve your servers’ performance, scalability, and reliability with application delivery from NGINX Plus.
NGINX Plus significantly increases application performance during periods of high load with its caching, HTTP connection processing, and efficient offloading of traffic from slow networks. NGINX Plus offers enterprise application load balancing, sophisticated health checks, and more, to balance workloads and avoid user-visible errors.
Check out this webinar to:
* Learn why web performance matters more than ever, in the face of growing application complexity and traffic volumes
* Get the lowdown on the performance challenges of HTTP, and why the real world is so different to a development environment
* Understand why NGINX and NGINX Plus are such popular solutions for mitigating these problems and restoring peak performance
* Look at some real-world deployment examples of accelerating traffic in complex scenarios
Using HAProxy to Scale MySQL: growing from a single database server to a master-master with multiple slaves replication topology using HAProxy to maintain high-availability and ease maintenance tasks.
High Availability Content Caching with NGINXNGINX, Inc.
On-Demand Recording:
https://www.nginx.com/resources/webinars/high-availability-content-caching-nginx/
You trust NGINX to be your web server, but did you know it’s also a high-performance content cache? In fact, the world’s most popular CDNs – CloudFlare, MaxCDN, and Level 3 among them – are built on top of the open source NGINX software.
NGINX content caching can drastically improve the performance of your applications. We’ll start with basic configuration, then move on to advanced concepts and best practices for architecting high availability and capacity in your application infrastructure.
Join this webinar to:
* Enable content caching with the key configuration directives
* Use micro caching with NGINX Plus to cache dynamic content while maintaining low CPU utilization
* Partition your cache across multiple servers for high availability and increased capacity
* Log transactions and troubleshoot your NGINX content cache
В докладе рассказывается о расширении для стека протоколов TCP/IP в ОС Linux, которое необходимо для того, чтобы HTTPS работал в том же стеке, что TCP и IP. DDoS-атаки такого типа как HTTP-флуд на уровне приложений, как правило, подавляются HTTP-акселераторами или балансировщиками нагрузки HTTP. Однако интерфейс сокетов Linux, используемый программным обеспечением, не дает той продуктивности, которая необходима при предельных нагрузках, вызванных DDoS-атаками. HTTP-серверы на базе стеков TCP/IP в пространстве пользователя становятся популярными в связи с увеличением их эффективности, но стеки TCP/IP представляют собой масштабный и сложный код, поэтому неблагоразумно реализовывать и исполнять его дважды — в пространстве пользователя и пространстве ядра. Стек TCP/IP в пространстве ядра хорошо интегрирован со многими мощными инструментами, например IPTables, IPVS, tc, tcpdump, которые недоступны для стека TCP/IP в пространстве пользователя или требуют сложных интерфейсов. Докладчик представит решение Tempesta FW, которое передает обработку HTTPS ядру. HTTPS встроен в стек TCP/IP Linux. Исполняя функцию межсетевого экрана HTTP, Tempesta FW устанавливает набор ограничений по скорости передачи и набор эвристических правил для защиты от таких атак как HTTPS-флуд и Slow HTTP.
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...Ontico
В докладе я расскажу, что такое Web-акселератор, он же reverse proxy и он же - фронтенд. Как следует из названия, он ускоряет сайт. Но за счет чего он это делает? Какие они, вообще, бывают? Что они умеют, а что нет? В чем особенности каждого из решений? И, вообще, постараюсь рассказать о них вглубь и вширь.
Еще я расскажу про еще один Open Source Web-акселератор - Tempesta FW. Уникальность проекта в том, что это гибрид Web-акселератора и файервола, разрабатываемый специально для обработки и фильтрации больших объемов HTTP трафика. Основные сценарии использования системы — это защита от DDoS прикладного уровня и просто доставка больших объемов HTTP трафика малыми затратами на оборудование.
- Что такое Web-акселератор, зачем он был придуман и как понять когда он нужен;
- Типичный функционал reverse proxy, его отличия от Web-сервера;
- Упомянем про SSL акселераторы;
- Заглянем вглубь HTTP, и как он управляет кэшированием и проксированием, что может быть закэшированно, а что - нет;
- Мы сравним наиболее популярные акселераторы (Nginx, Varnish, Apache Traffic Server, Apache HTTPD, Squid) по фичам и внутренностям;
- Зачем нужен еще один Web-акселератор Tempesta FW, и в чем его отличие от других акселераторов.
In this installment of the Men & Mice webinar series, Mr. Carsten Strotmann will talk about the role that DNS plays in fighting malware and spam.
The discussion will dig into DNS blacklists, domain reputation, Response Policy Zones and how the new TLDs have changed the game.
Load Balancing MySQL with HAProxy - SlidesSeveralnines
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
How To Set Up SQL Load Balancing with HAProxy - SlidesSeveralnines
We continuously see great interest in MySQL load balancing and HAProxy, so we thought it was about time we organised a live webinar on the topic! Here is the replay of that webinar!
As most of you will know, database clusters and load balancing go hand in hand.
Once your data is distributed and replicated across multiple database nodes, a load balancing mechanism helps distribute database requests, and gives applications a single database endpoint to connect to.
Instance failures or maintenance operations like node additions/removals, reconfigurations or version upgrades can be masked behind a load balancer. This provides an efficient way of isolating changes in the database layer from the rest of the infrastructure.
In this webinar, we cover the concepts around the popular open-source HAProxy load balancer, and show you how to use it with your SQL-based database clusters. We also discuss HA strategies for HAProxy with Keepalived and Virtual IP.
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
This talk will demonstrate the importance and value for Managed Service Providers (MSPs) and cloud providers of building their business models around the management of containers. It will also explore the various container technologies being used today and why one might be utilized over another. The object is not to give a technical discussion on the subject, but rather to cover the benefits of Linux containers and how their use can be incorporated into strategies for future business planning and development.
October 14 2009 New York Web Performance Group Session.
Rusty Conover is talking about his experience at InfoGears building Content Delivery Network (CDN) on top of Amazon EC2
Delivering High Performance Websites with NGINXNGINX, Inc.
NGINX Plus is an easy-to-install, proven software solution to deliver your sites and applications through state-of-the-art intelligent load balancing and high performance acceleration. Improve your servers’ performance, scalability, and reliability with application delivery from NGINX Plus.
NGINX Plus significantly increases application performance during periods of high load with its caching, HTTP connection processing, and efficient offloading of traffic from slow networks. NGINX Plus offers enterprise application load balancing, sophisticated health checks, and more, to balance workloads and avoid user-visible errors.
Check out this webinar to:
* Learn why web performance matters more than ever, in the face of growing application complexity and traffic volumes
* Get the lowdown on the performance challenges of HTTP, and why the real world is so different to a development environment
* Understand why NGINX and NGINX Plus are such popular solutions for mitigating these problems and restoring peak performance
* Look at some real-world deployment examples of accelerating traffic in complex scenarios
Using HAProxy to Scale MySQL: growing from a single database server to a master-master with multiple slaves replication topology using HAProxy to maintain high-availability and ease maintenance tasks.
High Availability Content Caching with NGINXNGINX, Inc.
On-Demand Recording:
https://www.nginx.com/resources/webinars/high-availability-content-caching-nginx/
You trust NGINX to be your web server, but did you know it’s also a high-performance content cache? In fact, the world’s most popular CDNs – CloudFlare, MaxCDN, and Level 3 among them – are built on top of the open source NGINX software.
NGINX content caching can drastically improve the performance of your applications. We’ll start with basic configuration, then move on to advanced concepts and best practices for architecting high availability and capacity in your application infrastructure.
Join this webinar to:
* Enable content caching with the key configuration directives
* Use micro caching with NGINX Plus to cache dynamic content while maintaining low CPU utilization
* Partition your cache across multiple servers for high availability and increased capacity
* Log transactions and troubleshoot your NGINX content cache
В докладе рассказывается о расширении для стека протоколов TCP/IP в ОС Linux, которое необходимо для того, чтобы HTTPS работал в том же стеке, что TCP и IP. DDoS-атаки такого типа как HTTP-флуд на уровне приложений, как правило, подавляются HTTP-акселераторами или балансировщиками нагрузки HTTP. Однако интерфейс сокетов Linux, используемый программным обеспечением, не дает той продуктивности, которая необходима при предельных нагрузках, вызванных DDoS-атаками. HTTP-серверы на базе стеков TCP/IP в пространстве пользователя становятся популярными в связи с увеличением их эффективности, но стеки TCP/IP представляют собой масштабный и сложный код, поэтому неблагоразумно реализовывать и исполнять его дважды — в пространстве пользователя и пространстве ядра. Стек TCP/IP в пространстве ядра хорошо интегрирован со многими мощными инструментами, например IPTables, IPVS, tc, tcpdump, которые недоступны для стека TCP/IP в пространстве пользователя или требуют сложных интерфейсов. Докладчик представит решение Tempesta FW, которое передает обработку HTTPS ядру. HTTPS встроен в стек TCP/IP Linux. Исполняя функцию межсетевого экрана HTTP, Tempesta FW устанавливает набор ограничений по скорости передачи и набор эвристических правил для защиты от таких атак как HTTPS-флуд и Slow HTTP.
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...Ontico
В докладе я расскажу, что такое Web-акселератор, он же reverse proxy и он же - фронтенд. Как следует из названия, он ускоряет сайт. Но за счет чего он это делает? Какие они, вообще, бывают? Что они умеют, а что нет? В чем особенности каждого из решений? И, вообще, постараюсь рассказать о них вглубь и вширь.
Еще я расскажу про еще один Open Source Web-акселератор - Tempesta FW. Уникальность проекта в том, что это гибрид Web-акселератора и файервола, разрабатываемый специально для обработки и фильтрации больших объемов HTTP трафика. Основные сценарии использования системы — это защита от DDoS прикладного уровня и просто доставка больших объемов HTTP трафика малыми затратами на оборудование.
- Что такое Web-акселератор, зачем он был придуман и как понять когда он нужен;
- Типичный функционал reverse proxy, его отличия от Web-сервера;
- Упомянем про SSL акселераторы;
- Заглянем вглубь HTTP, и как он управляет кэшированием и проксированием, что может быть закэшированно, а что - нет;
- Мы сравним наиболее популярные акселераторы (Nginx, Varnish, Apache Traffic Server, Apache HTTPD, Squid) по фичам и внутренностям;
- Зачем нужен еще один Web-акселератор Tempesta FW, и в чем его отличие от других акселераторов.
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Ontico
РИТ++ 2017, HighLoad Junior
Зал Сингапур, 6 июня, 11:00
Тезисы:
http://junior.highload.ru/2017/abstracts/2545.html
Вы поставили HTTP-акселератор перед вашим web-сервером для ускорения отдачи контента, но запросы пользователей по-прежнему отдаются с большой задержкой, а ресурсы сервера кажутся незагруженными. А, может, после того, как поставили
web-акселератор, web-приложение сломалось, да еще и так, что проблема воспроизводится редко, хуже того, о ней могут знать ваши пользователи, но не вы.
...
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebAll Things Open
Presented at All Things Open 2018
Presented by Alexander Krizhanovsky with Tempesta Technologies INC
10/23/18 - 2:00 PM - Networking/Infrastructure Track
Oracle Drivers configuration for High Availability, is it a developer's job?Ludovico Caldara
UCP, GridLink, TAF, AC, TAC, FAN… The configuration of Oracle Drivers for application high availability is not an easy job. The developers often care about the minimal working configuration, while the DBAs are busy with the operations. In this session I will try to demystify application server’s connectivity to the database and give a direction toward the highest availability, using Real Application Clusters and new Oracle features like TAC and CMAN TDM.
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
HighLoad++ 2017
Зал «Москва», 7 ноября, 11:00
Тезисы:
http://www.highload.ru/2017/abstracts/3018.html
Наверное, уже ни для кого не секрет, что в Linux kernel интегрируется поддержка TLS: он уже есть в текущем RC Linux 4.13.
В докладе я хочу рассказать, зачем вносится TLS в ядро Linux и о подходах к Linux kernel TLS от Facebook/RedHat, Mellanox и нашего проекта Tempesta FW. Также рассажу о специфичных для ядра проблемах реализации TLS.
...
Since 2007 GOFORTUTION.coM is the search engine of tutors & Students in Delhi and all over India .It provides cheapest and best home tutors to students and it also helps to Tutors who are seeking students for home tution. We at Mentor Me provide highly qualified, result oriented, enthusiastic and responsible tutors for all classes, all subjects and in all locations across Delhi & all over India. Here we have tutors for all subjects of CBSE, ICSE,B.com, B.Sc, BBA, BCA,MBA,CA,CS,MCA,BCA,”O” Level, “A” Level etc.GOFORTUTION is a best portal for tutors and students it is not only a site.
These slides show how to reduce latency on websites and reduce bandwidth for improved user experience.
Covering network, compression, caching, etags, application optimisation, sphinxsearch, memcache, db optimisation
A talk about how HTTP caching features that can and should be used to reduce origin server loads and traffic whilst retaining very small cache expire times. More specifically will cover what basic http headers are used by standard cache devices and how they differ, as well as how can they be used in combination to achieve smart cache revalidation.
RFC 7540 was ratified over 2 years ago and, today, all major browsers, servers, and CDNs support the next generation of HTTP. Just over a year ago, at Velocity (https://www.slideshare.net/Fastly/http2-what-no-one-is-telling-you), we discussed the protocol, looked at some real world implications of its deployment and use, and what realistic expectations we should have from its use.
Now that adoption is ramped up and the protocol is being regularly used on the Internet, it's a good time to revisit the protocol and its deployment. Has it evolved? Have we learned anything? Are all the features providing the benefits we were expecting? What's next?
In this session, we'll review protocol basics and try to answer some of these questions based on real-world use of it. We'll dig into the core features like interaction with TCP, server push, priorities and dependencies, and HPACK. We'll look at these features through the lens of experience and see if good practice patterns have emerged. We'll also review available tools and discuss what protocol enhancements are in the near and not-so-near horizon.
Review of the "ELB Sandwich" design
- Is it always best to design?
- How can it impact performance, security & complexity?
Accelerating web-based applications
- Why HHP/2 is so much faster than HTTP 1.1
- Implementing HTTP/2 without changing your webservers.
- Simplifying certain SSL designs & lowering recurring costs.
- Solving unexpected application problems with ADCs.
* Presented at the Sydney AWS Meetup session 6th July 2016
http://www.meetup.com/AWS-Sydney/
Hosted and organised by PolarSeven - http://polarseven.com
5 things you didn't know nginx could do velocitysarahnovotny
NGINX is a well kept secret of high performance web service. Many people know NGINX as an Open Source web server that delivers static content blazingly fast. But, it has many more features to help accelerate delivery of bits to your end users even in more complicated application environments. In this talk we’ll cover several things that most developers or administrators could implement to further delight their end users.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
2. Who am I?
CEO at Tempesta Technologies, INC
Custom software development since 2008:
●
Network security: WAF, VPN, DPI etc.
e.g. Positive Technologies AF,
“Visionar” Gartner magic quadrant’15
●
Databases:
one of the top MariaDB
contributors
●
Perfomance tuning
Tempesta FW – Linux
Application Delivery Controller
5. Agenda & Disclaimer
Mechanics:
●
HTTP connections & messages management
●
HTTP decoders & parsers
●
Web caches
●
Network I/O
●
Multitasking
●
TLS
The web accelerators are mentioned
only as implementation examples
Some software is just more familiar to me
7. Server connections
New connections or
persistent connections (usual)
HTTP keep-alive connections
Keep-Alive: timeout=5, max=10000
Reestablish closed KA connection
New connections if all are busy
N backend connections = N backend requests in-flight
DDoS and flash crowds:
as many server connections as client connections
Run out of port numbers
9. HTTP Response Splitting attack
(Web cache poisoning)
/redir_lang.jsp?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0a
HTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a
Content-Length:%2019%0d%0a%0d%0a<html>Shazam</html>
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
<html>Shazam</html>
Decode and validate URI (also for injection attacks)
HTTP/2 isn’t vulnerable
10. HTTP/2
Requests multiplexing instead of pipelining
Pros
●
Responses are sent in parallel and in
any order (no head-of-line blocking)
●
Compression(?)
Cons
●
Less zero copy (different dynamic tables)
HTTP/2 backend connections (H2O, HAProxy, Envoy)
●
Slow backend connections (e.g. CDN)
●
Slow logic (e.g. dynamic content w/ database access)
11. (Non-)indempotent requests
RFC 7231 4.2.2: Non-idempotent request changes server state
Idempotent (safe) methods: GET, HEAD, TRACE, OPTIONS
● User responsibility: GET /action?do=delete
●
Can be POST (e.g. web-search)
Let a user to specify idempotence of methods and resources:
nonidempotent GET prefix “/action”
Cannot be retried in HTTP/1
HTTP/2 (RFC 7540 8.1.4): can retry non-idempotent requests
● GOAWAY and RST_STREAM with REFUSED_STREAM
12. Resend HTTP requests?
Tainted requests: server_forward_retries and server_forward_timeout
Request-killers – RFC 7230 6.3.2: “a client MUST NOT pipeline
immediately after connection establishment”
●
Connection with re-forwarded requests is non-schedulable
Non-idempotent requests can be reforwarded
server_retry_nonidempotent
Error messages keep order of responses
14. Proxy response buffering vs streaming
Buffering
●
Seems everyone by default
●
Performance degradation on large messages
●
200 means OK, no incomplete response
Streaming
●
Varnish, Tengine (patched Nginx)
proxy_request_buffering & fastcgi_request_buffering
●
More performance, but 200 doesn't mean full response
17. HTTP messages adjustment: zero-copy
Tempesta FW: add/remove/update
HTTP headers without copies
Small head and tail memory
overheads to avoid dynamic
allocations
19. Multi-pass HTTP parser
if (!strncasecmp(hp->hd[HTTP_HDR_URL].b, "http://", 7))
b = hp->hd[HTTP_HDR_URL].b + 7;
else if (FEATURE(FEATURE_HTTPS_SCHEME) &&
!strncasecmp(hp->hd[HTTP_HDR_URL].b, "https://", 8))
b = hp->hd[HTTP_HDR_URL].b + 8;
20. Switch-driven HTTP parser
Start: state = 1, *str_ptr = 'b'
while (++str_ptr) {
switch (state) { <= check state
case 1:
switch (*str_ptr) {
case 'a':
...
state = 1
case 'b':
...
state = 2
}
case 2:
...
}
...
}
21. Switch-driven HTTP parser
Start: state = 1, *str_ptr = 'b'
while (++str_ptr) {
switch (state) {
case 1:
switch (*str_ptr) {
case 'a':
...
state = 1
case 'b':
...
state = 2 <= set state
}
case 2:
...
}
...
}
22. Switch-driven HTTP parser
Start: state = 1, *str_ptr = 'b'
while (++str_ptr) {
switch (state) {
case 1:
switch (*str_ptr) {
case 'a':
...
state = 1
case 'b':
...
state = 2
}
case 2:
...
}
... <= jump to while
}
23. Switch-driven HTTP parser
Start: state = 1, *str_ptr = 'b'
while (++str_ptr) {
switch (state) { <= check state
case 1:
switch (*str_ptr) {
case 'a':
...
state = 1
case 'b':
...
state = 2
}
case 2:
...
}
...
}
24. Switch-driven HTTP parser
Start: state = 1, *str_ptr = 'b'
while (++str_ptr) {
switch (state) {
case 1:
switch (*str_ptr) {
case 'a':
...
state = 1
case 'b':
...
state = 2
}
case 2:
... <= do something
}
...
}
30. HPACK (HTTP/2) & QPACK (QUIC)
Huffman encoding – skewed bytes => no SIMD
Dynamic table: at least 4KB overhead for each connection
●
HPACK bomb (2016): N requests with M dynamic table indexed headers
of size S => OOM with N * M * S bytes
Makes sense for requests only (~1.4% improvement for responses)
https://blog.cloudflare.com/hpack-the-silent-killer-feature-of-http-2/
Still have to process strings, even for static headers :(
31. HTTP/2 as the first class citizen
HTTP/2 as an add-on to HTTP/1
// Cookie is an indexed header in the static table
static ngx_str_t cookie = ngx_string("cookie");
if (ngx_memcmp(header->name.data, cookie.data, cookie.len) == 0)
Fast headers lookup using static table indexes (H2O, Tempesta FW)
Store web cache entries in HTTP/2-friendly format (Tempesta FW)
33. To cache
Determined by Cache-Control and Pragma
static (e.g. video, images, CSS, HTML)
some dynamic
Negative results (e.g. 404)
Permanent redirects
Incomplete results (206, RFC 7233 Range Requests)
Methods: GET, POST, whatever
GET /script?action=delete – this is your responsibility
(but some servers don't cache URIs w/ arguments)
34. Not to cache
Determined by Cache-Control and Pragma
Explicit no-cache or private directives
Responses to Authenticated requests
Unsafe methods (RFC 7231 4.2.1)
(safe methods: GET, HEAD, OPTIONS, TRACE)
Set-Cookie (?)
35. Cache Set-Cookie?
Varnish, Nginx, ATS don't cache responses w/ Set-Cookie by default
Tempesta FW, mod_cache, Squid do cache such responses
RFC 7234, 8 Security Considerations:
Note that the Set-Cookie response header field
[RFC6265] does not inhibit caching; a cacheable
response with a Set-Cookie header field can be (and
often is) used to satisfy subsequent requests to
caches. Servers who wish to control caching of these
responses are encouraged to emit appropriate Cache-
Control response header fields.
36. Cache POST?
Discussion: https://www.mnot.net/blog/2012/09/24/caching_POST
●
RFC 7234 4.4: URI must be invalidated
Original eBay case: search API with too many parameters for GET
https://tech.ebayinc.com/engineering/caching-http-post-requests-and-
responses/
Idempotent POST (e.g. web-serarch) – just like GET
Non-idempotent POST (e.g. blog comment) – cache response for
following GET
37. Cache entries freshness
RFC 7234: freshness_lifetime > current_age
Freshness calculation headers: Last-Modified, Date, Age,
Expires
Revalidation:
●
Conditional requests (RFC 7232, e.g. If-Modified-Since)
●
Background activity or on-request job
Nginx: proxy_cache_background_update
Sometimes it’s OK to return stale cache entries:
Nginx: proxy_cache_use_stale
38. HTTP/2 server PUSH
HTTP/2 client ↔ proxy ↔ HTTP/1.1 server (e.g. H2O, Nginx)
● Try with PUSH_PROMISE and stop by RST_STREAM
●
Apache HTTPD: “diary” what has been pushed
(H2PushDiarySize)
●
H2O CASPer tracks client
●
cache state via cookies
Link header (RFC 5988)
● Preload (draft)
https://w3c.github.io/preload/
103 Early Hints (RFC 8297, H2O)
Source: “Reorganizing Website Architecture for HTTP/2 and Beyond” Kazuho Oku
39. Vary
Accept-Language – return localized version of page
(no need /en/index.html)
User-Agent – mobile vs desktop (bad!)
Accept-Encoding – don't send compressed page if browser doesn't
understaind it
Seconday keys: say “hello” to databases
Request headers normalization is required!
44. IO & multitasking
Updated “Choosing A Proxy Server”, ApacheCon 2014, Bryan Call
* Nginx 1.7.11 introduced thread pool, but for asynchronous I/O only
ATS Nginx Squid Varnish
Apache
HTTPD Tempesta
Threads X * per-session! X
Events X X X partial X data-driven
Processes X X X
Softirq X
45. Threads vs Processes vs Softirq
Thread per session (e.g. Varnish)
●
Threads overhead: ~6 pages, log(n) scheduler
●
No slow request starvation (e.g. asynchronous DDoS)
Meltdown (reading kernel memory from user space):
CONFIG_PAGE_TABLE_ISOLATION (KPTI, default in modern kernels)
●
no lazy TLB as previously, PCID instead
●
~40% perf degradation
(https://mariadb.org/myisam-table-scan-performance-kpti/)
●
Tempesta FW: no degradation for the in-kernel workload
●
Do you need the protection for single user edge server?
50. vmsplice(2) zero-copy transmission
2 system calls instead of 1 (KPTI!)
Double buffering
For large transfers only
Examples: HAProxy
vmsplice(pipe_[1], iov, num, 0);
for (int r; data_len; data_len -= r)
r = splice(pipe_[0], NULL, sd, NULL, data_len, 0);
# ./nettest/xmit -s65536 -p1000000 127.0.0.1 5500
xmit: msg=64kb, packets=1000000 vmsplice() -> splice()
usr=9259, sys=6864, real=27973
# ./nettest/xmit -s65536 -p1000000 -n 127.0.0.1 5500
xmit: msg=64kb, packets=1000000 send()
usr=8762, sys=25497, real=34261
51. User space HTTP proxying
1. Receive request at CPU1
2. Copy request to user space
3. Update headers
4. Copy request to kernel space
(except HAProxy &
Tempesta FW)
5. Send the request from CPU2
>= 3 data copies
Access TCP control blocks and
data buffers from different CPUs
52. Tempesta FW: zero-copy proxying
Socket callbacks call TLS and
HTTP processing
Everything is processing in
softirq (while the data is hot)
No receive & accept queues
No file descriptors
Less locking
Lock-free inter-CPU transport
=> faster socket reading
=> lower latency
53. Logging
ATS, Nginx, Squid, Apache HTTPD: write(2)
Varnish: logs in shared memory → varnishlog
Tempesta FW: dmesg (in-memory in further releases)
56. SSL/TLS: (zero-)copying
User-kernel space copying
●
Copy network data to user space
●
Encrypt/decrypt it
●
Copy the data to kernel for transmission
Kernel-mode TLS (Linux kTLS)
Facebook: https://lwn.net/Articles/666509/
●
Eliminates ingress & egress data copyings
●
Nobody in user space uses it
●
Unaware about TCP transmission state (cwnd & rwnd)
57. TLS record size & TCP
TLS record is 16KB by default => several TCP segments
TLS decrypts only full records
TCP congestion & receive windows can cause last segment delays
Source: https://hpbn.co/transport-layer-security-tls/
58. TCP & TLS dynamic record size
TCP CWND & RWND must be used to avoid multiple RTTs
Typical dynamic TLS record size strategies
●
Static size (Nginx)
●
Dynamic (HAProxy, ATS, H20): static algorithms (no cwnd)
●
kTLS: depends on available wmem for the socket
QUIC: TLS record = QUIC packet (no need for TLS dynamic records)
Tempesta FW (pros of being in-TCP/IP stack)
●
TCP send queue, NET_TX_SOFTIRQ
●
min(sndbuff, cwnd, rwnd)
●
http://www.netdevconf.org/2.1/papers/https_tcpip_stack.pdf
59. References
Kernel HTTP/TCP/IP stack for HTTP DDoS mitigation, Alexander Krizhanovsky, Netdev 2.1,
https://netdevconf.info/2.1/session.html?krizhanovsky
HTTP requests proxying, Alexander Krizhanovsky,
https://natsys-lab.blogspot.com/2018/03/http-requests-proxying.html
HTTP Strings Processing Using C, SSE4.2 and AVX2, Alexander Krizhanovsky,
https://natsys-lab.blogspot.com/2016/10/http-strings-processing-using-c-sse42.html
Fast Finite State Machine for HTTP Parsing, Alexander Krizhanovsky,
https://natsys-lab.blogspot.com/2014/11/the-fast-finite-state-machine-for-http.html
Reorganizing Website Architecture for HTTP/2 and Beyond, Kazuho Oku,
https://www.slideshare.net/kazuho/reorganizing-website-architecture-for-http2-and-beyond
Server Implementationsof HTTP/2 Priority, Kazuhiko Yamamoto,
https://www.mew.org/~kazu/material/2015-http2-priority2.pdf
NGINX structural enhancements for HTTP/2 performance, CloudFlare,
https://blog.cloudflare.com/nginx-structural-enhancements-for-http-2-performance/