Tag Archives: release

Pen 0.27.3 released

Available here:

http://siag.nu/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

Several new configuration options dealing with securing SSL.

ssl_option no_sslv2 turns off SSL2. This has been the default for ages. Nobody should use SSL2 anymore.

ssl_option no_sslv3 turns off SSL3, sacrificing compatibility with Windows XP but also “sacrificing” the associated vulnerabilities.

ssl_option no_tlsv1 turns off TLS1, again sacrificing a bit of compatibility for a bit of security.

ssl_option cipher_server_preference Prefer the ciphers listed at the beginning of the cipher list (see next item).

ssl_ciphers CIPHERS Specify a list of ciphers to support. By default, Pen will use whatever OpenSSL thinks the default should be, and that list will be different depending on the version of OpenSSL and the options used when compiling OpenSSL.

See here for a suggested configuration with intermediate compatibility but still good security:

Perfect Forward Secrecy

The default maximum number of connections has been 256 since Pen’s inception in 2000. Today that is ridiculously conservative since Pen will gladly handle tens of thousands of connections on a Raspberry Pi:

The Great Load Balancer Shootout…
Let’s double that one more time

The default is now bumped to 500; still very conservative.

Full list of changes since 0.27.2:

150330 Added autoconf check that the ECDHE is available and not disabled.
Bumped default max connections and listen queue to 500.

150326 Support for ECDHE cipher suites.

150325 New commands ssl_option and ssl_ciphers to individually disable
insecure protocols and ciphers.

150324 Updated penctl.1 with the new command.

150322 New knob to tweak max number of pending nonblocking connection
attempts: pending_max N (default 100).

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pen 0.27.2 released

Available here:

http://siag.nu/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

A couple of new features mainly meant for testing:

– Reliable idlers: Pen creates and maintains a number of idle connections
to the backend servers. If a connection is closed by the server, it is
reestablished.

– Dummy server: Instead of proxying requests to a real server, Pen acts
as a web server by replying with an http response to anything the
client says.

And a new bunch of features that allow better control over what Pen
does and how. See below and also the penctl manpage. As usual, everything
that can be done through penctl can also be done through the configuration
file or the command line.

Full list of changes since 0.27.1:

150228 Moved dlist prototypes to dlist.h.

150227 Added check to close idle connections after a period of inactivity.
Penctl: idle_timeout N (default 0 = never close idle connections).

150225 Moved git repository to GitHub..

150225 New feature: dummy server. Rather than acting as a proxy,
Pen will pretend to be a web server with just barely enough
functionality to work as a test target.
Penctl: dummy|no dummy.

150224 Yet Another command: abort_on_error|no abort_on_error makes
Pen call abort() (or not) when encountering a fatal error.

150224 New feature: “reliable idling”. Pen will make and maintain a
number of idle connections to the backend servers. When a connection
closes, a new one is made (hence “reliable”). Penctl: idlers [N].

150223 In do_cmd: return diagnostics to penctl so the user can see them,
instead of uselessly sending them to syslog.

150223 New penctl commands:
socket N (print which connection the socket belongs to)
connection N (print info on the specified connection)
close N (forcibly close connection N)

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pen 0.27.1 released

Available here:

http://siag.nu/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

A bunch of bugfixes:

150219 In open_listener: check that the requested port is in range.
Fixed bug in dlist_insert.
Released 0.27.1.

150215 Even load distribution when a server is unavailable.

150212 Let pen save the settings for tcp_nodelay and tcp_fastclose.
Make flush_up and flush_down return the correct value on error.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pen 0.27.0 released

Available here:

http://siag.nu/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

The 0.27.0 release focuses on doing more by doing less. The number of syscalls
required per transaction has been reduced significantly. On Linux, 100 ApacheBench
requests using all default Pen settings took 5689 syscalls on 0.26.1, but only
2819 on 0.27.0 (2413 with tcp_fastclose).

Another way of doing less has been to move certain operations from O(n) to O(1),
where n is the number of connections. That doesn’t matter much with the default
256 simultaneous connections, but when n is 100000, it makes a difference.

Two new configuration commands have seen the light of day. These can be set
on the command line at startup or dynamically with penctl.

tcp_nodelay|no tcp_nodelay

This controls the TCP_NODELAY option on sockets, which turns the Nagle algorithm
on or off on supported systems. May or may not make a difference.
Default is no tcp_nodelay.

tcp_fastclose up|down|both|off

With Pen being a proxy, one Pen connection is actually two TCP connections,
one to the client and one to the server. Normally, Pen waits for both client
and server to signal end of file before shutting down the connection.
For some protocols this is not necessary and it is safe to shut down the
connection when either end does. Default is off.

Finally, it is no longer required to run the configure script when
cross-compiling for Windows.

All ChangeLog entries since 0.26.1:

150212 Added config.h.win with reasonable settings for Windows.

150211 Better detection and blacklisting of unavailable servers.

150209 New penctl commands:
tcp_nodelay sets TCP_NODELAY on sockets. Turn off with no tcp_nodelay.
tcp_fastclose closes both upstream and downstream sockets if one of them
closes theirs. Will take the values up, down, both or off (default).

150208 Rather than making a table of pending connections every time through
the main loop, keep them in a doubly linked list which is only updated
as needed. O(n) -> O(1).

150207 A bug in udp mode: after successful “connect”, do not event_add downfd,
because it is equal to listenfd and epoll_ctl doesn’t like that.

150206 Module kqueue.c updated.
Module poll.c: set unused fd:s to -1, or Solaris will say ENOSYS.

150205 Enable diagnostic messages by default in configure.ac.
Changed event bookkeeping from stateless to stateful.
Made keepalive optional and added “keepalive / no keepalive” penctl command.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pen 0.26.0 released

Available here:

http://siag.nu/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

The 0.26.0 release features quite a few improvements over 0.25.1. Some of
the most important ones are probably:

– Connecting to backend servers is now done in parallel with other operations.
This gives better overall performance for servers with a bit of latency
(i.e. most application servers).

– The option to turn off nonblocking socket operations has been removed.

– The accept queue length is now configurable, whereas it previously required
a recompile. This makes tuning easier.

– The number of incoming connections that are accepted at a time is also
configurable.

– The configure script now automatically tries to use features that everybody
should want: poll, kqueue, epoll, openssl and geoip will be built if possible,
unless they are explicitly excluded. Before, it was necessary to write
a long list of “–with-foo –with-bar –with-baz” options.

– Pen has always used select as the default event management system. Support
for poll and kqueue has been available for many years, and has now been
joined by epoll. The default event management system is now kqueue for BSD,
epoll for Linux, poll for anything else if it is available and select
where it is the only option (i.e. Windows).

– Improved compatibility with Microsoft Windows. Pen can now be installed as
a native Windows service without using Cygwin as a compatibility layer.

Full list of changes since 0.25.1:

150204 Released 0.26.0.

150203 More sensible autoconfiguration defaults: poll, kqueue, epoll, openssl and geoip
are built if found unless explicitly excluded.
New event management defaults: kqueue, epoll, poll, select in that order.
New penctl commands: kqueue, epoll, poll, select.
New command line option: -O cmd where cmd is any penctl command.
E.g. -O select to use select instead of the compiled-in default.

150127 New penctl option “listen [address:]port” to allow listening address
to be changed on the fly or via a configuration file.
New pen options -i and -u to install and uninstall Pen as a Windows service.
See pen manpage.
Reduced default timeout to 3 seconds.

150126 New autoconf option –enable-debugging to enable debugging code.
Lots of fixes for compatibility with Windows.
Released 0.26.0beta2.

150123 Fixed bug in mainloop which kept trying to write 0 bytes.
MinGW port. Use Makefile.win to compile.

150121 Event management code broken out into select.c, poll.c, kqueue.c and epoll.c.

150113 New command-line option -m to accept multiple incoming connections in a batch.
New command-line option -q to set incoming pending connection queue length.

150112 Close upfd when failing over.

150109 Released 0.26.0beta1.
Adjusted debug logging levels.

150108 Started on epoll support for Linux.

150107 Rewrote output_net and output_file to take a variable number of arguments.
Handle timed out connection attempts in mainloop_kqueue.

150105 Fixed mainloop_kqueue.

150103 A lot of code broken out from mainloop_select into separate functions.
Fixed mainloop_poll.

150102 Bugfixes related to the new backend connection logic.

141229 Cleaned up and simplified add_client() and associated circuitry.
Connections to back end servers are now nonblocking and parallel.

141217 Removed the -n option and all code explicitly using blocking sockets.
Removed the -D option and the “delayed forward” feature.

141213 Renamed server and client fields in the conn, client and server structures
to better reflect what they are.
Restructured the add_client, store_client, store_conn and try_server
functions.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pen 0.24.0 released

The UDP code has been simplified, cleaned up and bugfixed. Performance seems better now. Here is a simple test with two hosts over gigabit ethernet:

On host 1:
ulric@qvp2:~/pen-0.24.0$ yes “Ulric was here” | ./penlog 192.168.0.183 10000

On host 2:
ulric@debian:~/Projekt/pen/Zippar/pen-0.24.0$ ./pen -dfU -S 1 10000 192.168.0.102:10000 > out 2>&1

On host 1:
ulric@qvp2:~/pen-0.24.0$ ./penlogd -df 10000 > out 2>&1
ulric@qvp2:~/pen-0.24.0$ grep -c “2014-06-21 16:27:12: bogus web line Ulric was here” out
9297

Penlog and Penlogd are two programs that send and receive Apache logs over UDP. Used here to generate and receive a lot of UDP traffic.

Source available here, as usual:

http://siag.nu/pub/pen/

Facebooktwittergoogle_plusredditpinterestlinkedinmail