RProxy is a reverse proxy server written with performance and scale in mind.
Building and installing
Dependencies
Building with all dependencies compiled and statically linked
- cd build
- cmake -DRPROXY_BUILD_DEPS:STRING=ON ..
- make
Build using system-wide dependencies
- cd build
- cmake ..
- make
Configuration
Base Configuration
Before any other sub-section of the configuration is processed, the following options can be set.
daemonize = false
rootdir = /tmp
user = nobody
group = nobody
max-nofile = 1024
- daemonizeThe value of this option is a boolean (either true or false). If the value is true, RProxy will daemonize after start, otherwise the server will run in the foreground.
- rootdirIf RProxy is configured to daemonize, the service will daemonize into this i directory.
- userDrop permissions to this user once root operations have been executed. The default of this is to run as the current user.
- groupDrop permissions to this group once root operations have been executed. The default of this is to run as the current group.
- max-nofileIf your system supports set/get rlimits, this sets the maximum number of file-descriptors the server can use at one time. Since RProxy will attempt to keep all of the downstream connections alive, it is suggested that this number be pretty high.It should be noted that by default, most systems won't allow a user to go over a static number (most of the time 1024) even with setrlimit. In this case, a user must perform system-wide configurations.On linux you can add the following to the file /etc/security/limits.conf:
"* hard nofile 590000"
Note a reboot is required for this setting to take effect.On OSX, the following command can be run"sudo launchctl limit maxfiles 590000 590000"
Base Server Configuration
RProxy configuration must contain one or more "server" configuration sections. These sections contains all the required information to deal with an incoming request. The base configuration for a server is as follows:
addr = 127.0.0.1
port = 8080
threads = 4
read-timeout = { 0, 0 }
write-timeout = { 0, 0 }
pending-timeout = { 0, 0 }
high-watermark = 0
max-pending = 0
backlog = 0
- addrThe IP address in which to listen on.
- portThe port to listen on
- threadsThe number of threads to use for this server (note that downstream connections are multiplied by this number).
- read-timeoutThe timeout in { 'seconds', 'microseconds' } for a client connection who has not sent any data. For example, if the value of this was "{ 1, 0 }", if the client has not been active for 1 second, the connection is closed.Setting this will evade potential idle connection DoS attacks.
- write-timeoutThe timeout in { 'seconds', 'microseconds' } to wait for data to the client to be written. If a client is blocking on the read for this long, the connection is closed.
- pending-timeoutWhen a connection is first made to RProxy, it is not immediately processed, instead it is placed in a pending queue. Only when a downstream connection has become available for use does the client get serviced. If a downstream does not become available for this amount of time, the client connection is shut down and removed from the pending queue.This makes sure both the RProxy service and the downstream services are never overloaded.
- max-pendingIf there are this many clients waiting for a backend server to be available, the incoming connection will not be accepted.This setting assures that the server cannot be overloaded with too many connections.
- high-watermarkIn many cases, a downstream may write faster to the RProxy than it can to the client. If the client is unable to keep up with the speed the backend server is sending, you may experience very high memory consumption. This is called a fast-writer/slow-reader effect.If the number of bytes in the output buffer to the client goes over this number, RProxy will disable reading data from the backend until all data in the output queue to the client has been sent.
Server::Downstream Configuration
Each server section contains one or more "downstreams" (in other words, a backend service). Each downstream configuration directive is named, which is referenced by a rule (discussed later).
The information contained within the downstream configuration is global to a server; all virtual host and rule will use the downstream information contained within each downstream section.
downstream <NAME> {
enabled = true
addr = x.x.x.x
port = nnnn
connections = 4
high-watermark = 0
read-timeout = { 0, 0 }
write-timeout = { 0, 0 }
retry = { 0, 500000 }
}
- NAMEEach downstream must have a unique name.
- enabledIf this value is set to false, RProxy will not attempt to make connections or utilize this downstream in any of the rules.
- addrThe FQDN or IP address of this downstream server.
- portThe listening port of the downstream server.
- connectionsThe number of connections RProxy will attempt to keep available. Note that this number is multiplied by the number of threads configured for the server. For example if you have 4 threads, and 2 connections, RProxy actually maintains 8 connections.
- high-watermarkIf number of bytes in the sendQ is over the value of this number (in bytes), further reading from the client is disabled until the sendQ has been emptied.This setting assures that backend servers will not be overloaded by clients.
- read-timeoutIf no data has been read from this downstream for this many { seconds, microseconds }, the connection is terminated.
- write-timeoutIf a write request takes over { seconds, microseconds } to happen, the connection is terminated.
- retryIf one of the downstream connections has been terminated for some reason, this is the time in { seconds, microseconds } RProxy will wait until it tries to re-establish the connection.
Server::SSL Configuration
When this configuration section is present and enabled, RProxy will treat incoming connections as SSL.
ssl {
enabled = false
protocols-on = { ALL }
protocols-off = { }
cert = bleh.crt
key = bleh.key
ca = blah.ca
capath = /capath/
ciphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:AES128-SHA"
verify-peer = false
enforce-peer-cert = false
verify-depth = 0
context-timeout = 172800
cache-enabled = true
cache-timeout = 1024
cache-size = 65535
crl = {}
}
- enabledIf set to true, SSL is enabled, otherwise SSL is disabled.
- certThe servers SSL cert
- keyThe servers private SSL key
- ca A specific CA file
- capath Relative path to search for valid CA's
- ciphersAccepted ciphers
- protocols-(on|off)The SSL options for enabling or disabling SSL specific protocols. Options: SSLv2, SSLv3, TLSv1, or ALL
- verify-peerEnables SSL client peer verification
- enforce-peer-certIf true, a client is rejected if it does not supply a client certificate.
- cache-enabledEnable SSL certificate cache
- cache-sizeMaximum size of the SSL cache
- cache-timeoutThe lifetime a cert will be kept in the cache.
- context-timeoutTimeout for (OpenSSL >= 1.0) session timeouts.
Server::SSL::CRL Configuration
A server / vhost can be configured to use a CRL list or file which can be reloaded without restarting or signals. This configuration is turned off by default.
ssl {
crl {
file = "/path/to/crl.pem"
dir = "/path/to/crldir/"
reload = { 10, 0 }
}
}
- fileRead from a specific file for CRLs.
- dirRead from a specific directory for CRLs
- reloadA timer (in secuds, useconds) to check for changes and reload the CRL configuration if changes have been made.from https://github.com/mandiant/RProxy