-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mladen,
On 11/26/19 15:49, Mladen Adamović wrote: > Our setup is documented here: > https://mladenadamovic.wordpress.com/2016/09/06/configure-tomcat-with- ssl-on-ubuntu-minimal/ When > I read it in your documentation, I assumed it was just out-of-date, so I went back to your posts to check: you are using a really old version of Tomcat. Your version is 8.5.5 which was released back on 2016-09-05. The current version is 8.5.49 which was released this past week. In the intervening years, there have been many improvements. I browsed the changelog but don't see anything specific that might explain and/or fix your issue. I may not be looking carefully enough. There have also been a bunch of security advisories[1] since you version. If you are worried about DDOS, you might want to read through those. > It wasn't easy for me to configure https/tomcat/letsencrypt... Really? I realize it's just as simple as "just type encrypt and press enter" but it's relatively straightforward if you understand all the pieces and how they fit together. Have a look at http://tomcat.apache.org/presentations.html#latest-lets-encrypt if you'd like more information. - -chris [1] http://tomcat.apache.org/security-8.html >> [1] https://en.wikipedia.org/wiki/Busy_waiting >> >>> On Tue, Nov 26, 2019 at 4:50 PM Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >>> Mladen, >>> >>> On 11/25/19 14:36, Mladen Adamović wrote: >>>>>> On Mon, Nov 25, 2019 at 5:57 PM Christopher Schultz < >>>>>> ch...@christopherschultz.net> wrote: >>>>>> >>>>>>>> We certainly want to be able to serve 10000 hits per >>>>>>>> second (!), while some connections might be stalled. >>>>>>> >>>>>>> What might stall a connection? The network, or the >>>>>>> application (or database, etc.)? >>>>>>> >>>>>> >>>>>> Underlying (synchronized) monitors could stall every >>>>>> thread, the network, whatever. >>>>>> >>>>>> The network itself demands a large number of connection, >>>>>> i.e. current situation at the server (displaying only >>>>>> remove connections): >>>>>> >>>>>> root@condor1796 ~ # netstat -tnp | grep -v "127.0.0" | wc >>>>>> -l 1220 >>> >>> Note this is every connection, bound port, and cleanup >>> connection the kernel knows about ; not just established/active >>> connections to your application specifically. >>> >>>>>> If we now have 1220, we definitely need at least 10000 >>>>>> active connections for Tomcat and I don't see that >>>>>> setting this to 50000 is a bad idea. >>> >>> Okay. I think you need a reverse proxy and more servers if you >>> think 50000 is going to be your peak load. >>> >>>>>>> For real DDOS protection, you need a provider who can >>>>>>> handle lots of traffic and respond quickly by >>>>>>> black-holing that kind of traffic as >>>>>> >>>>>> Depending on how large server farm they use >>>>>> (hypothetically). We want to be able to survive some DDoS >>>>>> attacks. If we limit the number of concurrent connections >>>>>> by IP address and the number of connections per second, >>>>>> that's some DoS protection. >>> >>> But honestly, this is better done at another layer of the >>> network; not at the host-level. >>> >>>>>> Regarding network delays, out of currently 1220 active >>>>>> remove connections, most of them are in TIME_WAIT state. >>>>>> Lowering TIME_WAIT settings in Linux are not >>>>>> recommended. >>> >>> Hmm. Lots of TIME_WAIT connections isn't good. I actually >>> don't know if they count "against" your 50000 limit in the Java >>> process. >>> >>> -chris >>>> >>>> ------------------------------------------------------------------- - -- >>>> >>>> >> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: >>>> users-h...@tomcat.apache.org >>>> >>>> >>> >> -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with >> Thunderbird - https://www.enigmail.net/ >> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3ddD8ACgkQHPApP6U8 >> pFjTJBAAuWpntlG9XFNS90GpJc3SWWeOPFQmJN8FTrQNPhJ49sPlk6aOgTbujGwS >> eHxQI2NIpgeP0MDqEKWEotOfxn+wwxUMJKOKnuxyxbDU8CGytJ4UwBJ5CddnsA5T >> QaIbANdoGI2+K+9v5jjlbv97DK2Vz/dh92v7QaKdJjND/ql61i7g/ZfBnJJmSZSE >> ScwVlexuYdG+izy2Vr1PX2lSltMeI+7Dth5JkyhHFVbw1wGF9qZsQ4rsszRKO0ZB >> jPrCK2VmHNUcYQNG1q0Gi9bzAUI67fHoaJjmRIU3A8PtoFMehIomKn8HkgBrc9aQ >> kmtb7BPxD63VcTK2rVGuMfa5y70AWB2hPcvUtKAO7CBC7LyC9/ux2jZqNTxMVUH6 >> wkxIkeQklLYpSDeI0E2xwxiH4OPakP2kZABp2zXH5JyfRQljlnbchWg/gT3DrCck >> lDt0ZmZPEfz792Pw8K/vJ4ZZre2BuQXRZhL3XvQUyWMHkHO3XTuWsJ2beaXzbo8E >> qFrrU0iXdErC6TT00V75t3MUQWto3Zrvb7Y/n8k3rh4X3pfblUQw6z1mojZui6Ik >> XZ4qrWkR9unxYHlMuaYOg3e9Ug67UHgUVM+Vvj3tlI81nJrDw8ikbVDHJ2R6R5Ft >> SqZoM7i+Y0i02jH0hpNAukFlw3Vdig1YmoPciAvCJcbZkJDU96E= =bUtP >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3elJkACgkQHPApP6U8 pFjhwg//W75Wffi2y9R9ftNJq3UBCN+2FPajefJ3spkzZ1TZnnVP/wY09gHEpWH5 HfGUVxvdDgzFtCZZQo9O/MRVKawAK+5FRgRO2aX5SX+cUn0ifO2Quel3fZqKNJhc gEjRYuFmfQsMXHyxo/NWslD7FaAG44dhMs2tWUEIHVVdxeJDzSsLeQxkJAp2yB1J bZoHiptSL0Cb2WTo9hAxceaq5BlMAlc243faXZW7SsJtOgqKTDuwqKuUauHz5AaC eFTlOKV09ANX9BHQ3r4lPLkeKgU9vriqZDexyquCuin7UNTyp6sOjl6Hs3TPQBK4 eQq4IBWmKlYMq+pOClBL5LuSx4NQPne8TgalgIom4OX9GqRT5cSrRxiGTbY6UDrT jLKTXq4TcdOj99abV0tODpfiGFrkF8BjeTWGpSWCN/Iu2IrUQj7UbiFCMXTa38nl //Vj4gC2xVdWihxaEI8/YOucroiP66SESJYvH9XSdv3sPrHAebIU5hfOde4XrmNk bnS6s5ioLxc+K13ZJKcgamPTkWieyLqNhneP17cKLdxX3mEGzVE4bs0U0b3AuCgD x6Ze7j0blpF6/w1S2iE+FnilpBeEP8k3NgKNoYXWDb78whMlmWQ1JZOudTsMeoX7 z4cQSbQHrZunJJYKZJicUIzlTamAd+O2nIQgoazq1XFJmuuLI18= =02Nd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org