-- Oct 8th, 2006
Site is in version 2. It will be far easier to update from now.
HAProxy is a very fast and reliable load balancer and reverse proxy for HTTP and TCP-based protocols, which is particularly suited to build highly available architectures. It can check servers state, report its own state to an upper-level load-balancer, share the load among several servers, ensure session persistence through the use of HTTP cookies, protect the server from surges by limiting the number of simultaneous requests, add/modify/delete incoming and outgoing HTTP headers, block or tarpit requests matching pre-defined criteria and protect against some forms of DDoS.. Its simple event-based architecture provides very high performance and make its code auditable. I've had report of several moderate traffic sites (10 to 100 Mbps) using it with success at constant loads of up to several thousands hits per second. No break-in has ever been reported (yet). It's known to work at least on FreeBSD, Linux, OpenBSD and Solaris. I too use it to protect my web server and to provide IPv6 connectivity. I tried to make it the absolute fastest, and the most reliable of the solutions in this area. Some commercial products have surpassed its performance, but I'm working on the next release ;-)
Haproxy is now also integrated as a complete solution by Exceliance. The fine kernel tuning permitted in an appliance allows the solution to outperform standard installations.
Haproxy source code has been migrated to GIT. I had lots of difficulties at the beginning, but at least I find it easier to learn GIT on code I know well than on the kernel.
- http://haproxy.1wt.eu/ : The HAProxy page.
- http://haproxy.1wt.eu/download/ : The download area.
- http://git.1wt.eu/git/ : The GIT repository
- http://git.1wt.eu/web/ : GIT web interface
- http://git.1wt.eu/pub/ : The tarballs for the git trees.
LibSLZSLZ is a fast and memory-less stream compressor which produces an output that can be decompressed with zlib or gzip. It does not implement decompression at all, zlib is perfectly fine for this. The purpose is to use SLZ in situations where a zlib-compatible stream is needed and zlib's resource usage would be too high while the compression ratio is not critical. The typical use case is in HTTP servers and gateways which have to compress many streams in parallel with little CPU resources to assign to this task, and without having to limit the compression ratio due to the memory usage. In such an environment, the server's memory usage can easily be divided by 10 and the CPU usage by 3. Link : http://1wt.eu/projects/libslz/
I've always liked playing with kernels. When I was a teen, I played with DOS and BIOS. Linux is much more fun to play with. Now I maintain version 2.4. My goal is to make it as reliable as possible. Having reached beyond 1000 days of uptime on many 2.4 kernels in the past might have incitated me to continue its maintenance.
I have tried to classify the projects and patches here, but I think I will have to do it again soon :
Linux Kernel Useful Patches (LKUP)
Many useful patches are regrouped here. Several of them are also included in my 2.4-wt patches (see below)
Linux Kernel 2.4 patch kits
I spend lots of time building hopefully secure and overloaded Linux kernels for use in production environments. Fortunately, most recent 2.4 kernels are becoming stable (both in use and code), so it's becoming worth adding more and more features. Those kernels are the ones which run Formilux. The latest ones provides buffer overflow protection (with PaX), IPSEC (with openswan), AES-encrypted loop devices, enhanced firewall features (with patch-o-matic-ng), socket port ACLs (pspa), high performance web server (Tux), virtual server jails, read-only bind mounts, serial ATA drivers, entropy gathering from network devices, ARP tweaks, MPLS support, low latency and preemptive scheduling, I2C sensors, CPU frequency scaling, x86 CPU emulation for small boxes, etc...
Also mirrored by EXOSEC : http://linux.exosec.net/kernel/2.4-wt/
Linux Kernel 2.4 hotfixes
Regularly, I spend time at work to gather small patches from the most recent stable kernels and port them to older kernels, so that people using a particular 2.4 kernel don't have to make a full update to fix security or stability issues. The work has begun with 2.4.29, and is hosted at Exosec.
Linux Kernel 2.4 GIT tree
This is the official 2.4 tree. Probably that you don't need this, but having the URL noted somewhere helps me :-)
- My public dir on kernel.org : my public stuff hosted on kernel.org. Not much content yet.
Linux Kernels add-ons
I've added some features to standard kernels. The most useful one being the extensions to the ethernet bonding driver, which has been included in standard kernels and taken over by Chad Tindel and a bunch of other folks (several ones from Intel). Other non-merged features include :
- lcdpanel, a serial/parallel port
- watchdog, a Watchdog Timer driver for Linux 2.4 for Nexcom's NexGate Network Security Appliances (eg: NSA1045).
- kmsgdump, a tool which does its best to dump the last kernel messages on screen, floppy or printer after a kernel panic or on demand. This one has been ported to 2.5 by Randy Dunlap who now maintains newer versions.
- x86-emu, an i486 and i686 instruction emulator for i386 to i586-class processors. It is common on notebooks or developper workstations to run executables compiled for other targets. This patch makes this possible.
Also mirrored by EXOSEC : http://linux.exosec.net/
Formilux : it is a very light and secure distro we've designed with Benoit Dolez. Packaging works at the file level, which make it particularly suited for embedded systems. A typical install sizes between 7 MB for a firewall and 20 MB for an UTM gateway. It also supports a "firmware" packaging mode that we're using at Exosec as it reduces the burden of maintaining remote systems up to date.It requires a very limited administration but needs fairly skilled administrators. Its main characteristics are Zero Useless File (file-level dependencies), read-only file systems, centralized configuration, very strict default permissions, automatic boot recovery, protection against buffer overflows, and many more.
Network stress testing tools
Network stress testing tools : Most of these tools are load generators used in benchmarking. Some are pretty straight-forward, but efficient. I've also started a high performance user-land TCP stack which supports about 150k sessions/s up to 4 million concurrent sessions on my 1.5 GHz Athlon with 1 GB RAM. But it's not finished yet, and I don't know when I'll find time to work on it.
- http://1wt.eu/ : Back to my home page.
- http://linux.exosec.net/ : Some OpenSource work contributed by Exosec.
- http://www.formilux.org/ : Formilux : Ultra light, server oriented, Linux distribution