Yesterday we were having lots of issues with proxy01/10 in IAD2.
They would stop processing connections. Restarting httpd seemed to clear
it up for a while, then it would get stuck again.
My current theory is that we were hitting the limit of 900 clients for
some reason and it wasn't processing them correctly when it got to that
point.
So, I increased that limit to 1500 and also setup a SSL session cache
(which it was complaining about that we didn't have). Since then,
proxy01/10 with those changes have been running ok.
I'd like to push this out to the other proxies now as well, as some of
them have been alerting from time to time and it could be this same
issue.
I already pushed this commit because I wanted 01/10 to be in sync/in
git.
+1's to push it to the rest of the proxies?
commit 313674646df60fc0e8342eff26094f694105cf76
Author: Kevin Fenzi <kevin@xxxxxxxxx>
Date: Tue Sep 21 16:19:14 2021 -0700
proxies: increase max workers
Also add a ssl connection cache.
These changes are live on proxy01/10 and seem to have made them stable
again. Will look at pushing to the rest tomorrow.
Signed-off-by: Kevin Fenzi <kevin@xxxxxxxxx>
diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index c04531a57..5b0a25fee 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -7,7 +7,7 @@ num_cpus: 6
# This is used in the httpd.conf to determine the value for serverlimit and
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this
# should be lowered in the host vars for that proxy.
-maxrequestworkers: 900
+maxrequestworkers: 1500
tcp_ports: [
# For apache, generally.
diff --git a/roles/httpd/proxy/templates/httpd.conf.j2 b/roles/httpd/proxy/templates/httpd.conf.j2
index 00947131f..5b1e0debf 100644
--- a/roles/httpd/proxy/templates/httpd.conf.j2
+++ b/roles/httpd/proxy/templates/httpd.conf.j2
@@ -773,3 +773,5 @@ EnableSendfile on
# Configure a location for OCSP stapling
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
+SSLSessionCache shmcb:/run/httpd/sslcache(10240000)
+SSLSessionCacheTimeout 600
kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
