mirror of https://github.com/haproxy/haproxy.git synced 2026-04-22 23:02:34 -04:00

HAProxy - Load balancer

Find a file

Willy Tarreau 5d0f5f8168 MINOR: mux-h2: assign a limited frames processing budget This introduces 3 new settings: tune.h2.be.max-frames-at-once and tune.h2.fe.max-frames-at-once, which limit the number of frames that will be processed at once for backend and frontend side respectively, and tune.h2.fe.max-rst-at-once which limits the number of RST_STREAM frames processed at once on the frontend. We can now yield when reading too many frames at once, which allows to limit the latency caused by processing too many frames in large buffers. However if we stop due to the RST budget being depleted, it's most likely the sign of a protocol abuse, so we make the tasklet go to BULK since the goal is to punish it. By limiting the number of RST per loop to 1, the SSL response time drops from 95ms to 1.6ms during an H2 RST flood attack, and the maximum SSL connection rate drops from 35.5k to 28.0k instead of 11.8k. A moderate SSL load that shows 1ms response time and 23kcps increases to 2ms with 15kcps versus 95ms and 800cps before. The average loop time goes down from 270-280us to 160us, while still doubling the attack absorption rate with the same CPU capacity. This patch may usefully be backported to 3.3 and 3.2. Note that to be effective, this relies on the following patches: MEDIUM: sched: do not run a same task multiple times in series MINOR: sched: do not requeue a tasklet into the current queue MINOR: sched: do not punish self-waking tasklets anymore MEDIUM: sched: do not punish self-waking tasklets if TASK_WOKEN_ANY MEDIUM: sched: change scheduler budgets to lower TL_BULK		2026-03-23 07:14:22 +01:00
.github	CI: github: treat vX.Y.Z release tags as stable like haproxy-* branches	2026-03-19 15:58:24 +01:00
addons	MINOR: promex: export "haproxy_sticktable_local_updates" metric	2026-03-18 11:18:37 +01:00
admin	BUG/MINOR: admin: haproxy-reload rename -vv long option	2026-03-08 01:37:56 +01:00
dev	DEV: gdb: add a new utility to extract libs from a core dump: libs-from-core	2026-03-18 15:30:39 +01:00
doc	MINOR: mux-h2: assign a limited frames processing budget	2026-03-23 07:14:22 +01:00
examples	MINOR: mailers: warn if mailers are configured but not actually used	2025-06-27 16:41:18 +02:00
include	MEDIUM: sched: do not run a same task multiple times in series	2026-03-23 06:52:24 +01:00
reg-tests	MINOR: jwt: Manage ec certificates in jwt_decrypt_cert	2026-03-10 14:58:47 +01:00
scripts	SCRIPTS: git-show-backports: add a restart-from-last option	2026-03-09 15:36:05 +01:00
src	MINOR: mux-h2: assign a limited frames processing budget	2026-03-23 07:14:22 +01:00
tests	TESTS: quic: add unit-tests for QUIC TX part	2025-09-08 14:49:03 +02:00
.cirrus.yml	CI: cirrus-ci: bump FreeBSD image to 14-3	2025-10-09 14:06:48 +02:00
.gitattributes	MINOR: Configure the `cpp` userdiff driver for *.[ch] in .gitattributes	2021-02-22 18:17:57 +01:00
.gitignore	MINOR: tevt/dev: Add term_events tool	2025-01-31 10:41:50 +01:00
.mailmap	DOC: update Tim's address in .mailmap	2021-09-16 09:14:14 +02:00
.travis.yml	MEDIUM: mworker: remove USE_SYSTEMD requirement for -Ws	2024-11-20 12:07:38 +01:00
BRANCHES	DOC: clarify the experimental status for certain features	2025-10-17 18:41:13 +02:00
BSDmakefile	BUILD: makefile: commit the tiny FreeBSD makefile stub	2023-05-24 17:17:36 +02:00
CHANGELOG	[RELEASE] Released version 3.4-dev7	2026-03-20 10:14:59 +01:00
CONTRIBUTING	CLEANUP: assorted typo fixes in the code and comments	2025-04-02 11:12:20 +02:00
INSTALL	MINOR: version: mention that it's development again	2025-11-26 16:11:47 +01:00
LICENSE	LICENSE: add licence exception for OpenSSL	2012-09-07 13:52:26 +02:00
MAINTAINERS	MAJOR: spoe: Let the SPOE back into the game	2024-05-22 09:04:38 +02:00
Makefile	DEV: gdb: add a new utility to extract libs from a core dump: libs-from-core	2026-03-18 15:30:39 +01:00
README.md	DOC: remove openssl no-deprecated CI image	2026-02-19 10:39:23 +01:00
SUBVERS	BUILD: use format tags in VERDATE and SUBVERS files	2013-12-10 11:22:49 +01:00
VERDATE	[RELEASE] Released version 3.4-dev7	2026-03-20 10:14:59 +01:00
VERSION	[RELEASE] Released version 3.4-dev7	2026-03-20 10:14:59 +01:00

README.md

HAProxy

HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.

Installation

The INSTALL file describes how to build HAProxy. A list of packages is also available on the wiki.

Getting help

The discourse and the mailing-list are available for questions or configuration assistance. You can also use the slack or IRC channel. Please don't use the issue tracker for these.

The issue tracker is only for bug reports or feature requests.

Documentation

The HAProxy documentation has been split into a number of different files for ease of use. It is available in text format as well as HTML. The wiki is also meant to replace the old architecture guide.

Please refer to the following files depending on what you're looking for:

INSTALL for instructions on how to build and install HAProxy
BRANCHES to understand the project's life cycle and what version to use
LICENSE for the project's license
CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory:

doc/intro.txt for a quick introduction on HAProxy
doc/configuration.txt for the configuration's reference manual
doc/lua.txt for the Lua's reference manual
doc/SPOE.txt for how to use the SPOE engine
doc/network-namespaces.txt for how to use network namespaces under Linux
doc/management.txt for the management guide
doc/regression-testing.txt for how to use the regression testing suite
doc/peers.txt for the peers protocol reference
doc/coding-style.txt for how to adopt HAProxy's coding style
doc/internals for developer-specific documentation (not all up to date)

License

HAProxy is licensed under GPL 2 or any later version, the headers under LGPL 2.1. See the LICENSE file for a more detailed explanation.