tcp_keepalive options for kernel timer

Fix TcpListener binding and port availability check

.gitignore

@@ -8,10 +8,14 @@
 /docs/
 /docs
 /etc
+/etc/
+etc
+.etc/
+assets/
+assets
 /target/
 *.iml
 .idea/
-.etc/
 *.ipr
 *.iws
 /out/

Cargo.lock

@@ -127,7 +127,7 @@ checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 
 [[package]]
 name = "aralez"
-version = "0.9.2"
+version = "0.92.9"
 dependencies = [
  "ahash",
  "arc-swap",

Cargo.toml

@@ -1,7 +1,11 @@
 [package]
 name = "aralez"
-version = "0.9.2"
+version = "0.92.9"
 edition = "2021"
+license = "Apache-2.0"
+description = "Reverse proxy built on top of Cloudflare's Pingora"
+exclude = ["etc/*"]
+repository = "https://github.com/sadoyan/aralez"
 
 [profile.release]
 opt-level = 3

README.md

@@ -9,13 +9,23 @@
 Aralez is a high-performance Rust reverse proxy with zero-configuration automatic protocol handling, TLS, and upstream management,
 featuring Consul and Kubernetes integration for dynamic pod discovery and health-checked routing, acting as a lightweight ingress-style proxy.
 
+
 ---
 What Aralez means ?
 **Aralez = Արալեզ** <ins>Named after the legendary Armenian guardian spirit, winged dog-like creature, that descend upon fallen heroes to lick their wounds and resurrect them</ins>.
 
 Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers world-class performance, security and scalability — right out of the box.
 
-[![Buy Me A Coffee](https://img.shields.io/badge/☕-Buy%20me%20a%20coffee-orange)](https://www.buymeacoffee.com/sadoyan)
+---
+
+## Links
+
+- [**Documentation**](https://aralez.rs) : The manual you should read
+- [**Downloads**](https://github.com/sadoyan/aralez/releases) : Binary downloads
+- [**Issues**](https://github.com/sadoyan/aralez/issues) : Issues and requests
+- [**Crates**](https://crates.io/crates/aralez) : The Rust crate registry
+- [**DockerHUB**](https://hub.docker.com/r/sadoyan/aralez) : DockerHUB official repository
+- [**GitHUB Packages**](https://github.com/sadoyan/aralez/pkgs/container/aralez) : GitHUB ghcr.io images
 
 ---
 
@@ -107,6 +117,9 @@ For getting the best performance on newer hardware use `aralez-x86_64-*.gz`.
 
 ```shell
 docker run -d -v /path/to/config:/etc/aralez:rw -p 80:80 -p 443:443 sadoyan/aralez
+docker run -d -v /path/to/config:/etc/aralez:rw -p 80:80 -p 443:443 sadoyan/aralez:compat
+docker run -d -v /path/to/config:/etc/aralez:rw -p 80:80 -p 443:443 ghcr.io/sadoyan/aralez:latest
+docker run -d -v /path/to/config:/etc/aralez:rw -p 80:80 -p 443:443 ghcr.io/sadoyan/aralez:compat
 ```
 
 **Dockerfile :**
@@ -554,10 +567,3 @@ The results show requests per second performed by Load balancer. You can see 3 b
 1. Requests via http1.1 to plain text endpoint.
 2. Requests to via http2 to SSL endpoint.
 3. Mixed workload with plain http1.1 and htt2 SSL.
-
-## Links
-
-- [**Documentation**](https://aralez.rs) : The manual you should read
-- [**Downloads**](https://github.com/sadoyan/aralez/releases) : Binary downloads
-- [**Issues**](https://github.com/sadoyan/aralez/issues) : Issues and requests 
-

etc/main.yaml

@@ -2,22 +2,22 @@
 threads: 12 # Number of daemon threads default setting
 #runuser: pastor # Username for running aralez after dropping root privileges, requires program to start as root
 #rungroup: pastor # Group for running aralez after dropping root privileges, requires program to start as root
-daemon: false # Run in background
+#daemon: false # Run in background
 upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections
-pid_file: /tmp/aralez.pid # Path to PID file
-error_log: /tmp/aralez_err.log # Path to error log
+#pid_file: /tmp/aralez.pid # Path to PID file
+#error_log: /tmp/aralez_err.log # Path to error log
 upgrade_sock: /tmp/aralez.sock # Path to socket file
 config_api_enabled: true # Boolean to enable/disable remote config push capability.
-config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
+config_address: 0.0.0.0+3000 # HTTP API address for pushing upstreams.yaml from remote location
 proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address
 proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address
 proxy_configs: /opt/Rust/Projects/asyncweb/etc # Mandatory if proxy_address_tls set, should contain a certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
 proxy_tls_grade: high # Grade of TLS suite for proxy (high, medium, unsafe), matching grades of Qualys SSL Labs
 upstreams_conf: /opt/Rust/Projects/asyncweb/etc/upstreams.yaml # the location of upstreams file
-#file_server_folder: /opt/storage # Optional, local folder to serve
-#file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
+file_server_folder: /tmp/gazan # Optional, local folder to serve
+file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
 log_level: info # info, warn, error, debug, trace, off
-log_file: /tmp/aralez.log # Optional, the location of log file. If this entry does not exist logs will be emitted to stdout.
+#log_file: /tmp/aralez.log # Optional, the location of log file. If this entry does not exist logs will be emitted to stdout.
 hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE
 hc_interval: 2 #Interval for health checks in seconds
 #master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret

etc/upstreams.yaml

@@ -1,49 +1,47 @@
 # The file under watch and hot reload, changes are applied immediately, no need to restart or reload.
 provider: "file" # "file" "consul" "kubernetes"
-sticky_sessions: 8600
+sticky_sessions: 172000
 to_https: false
-rate_limit: 300
-x4xx_limit: 200
-server_headers:
-  - "X-Forwarded-Proto:https"
-  - "X-Forwarded-Port:443"
-client_headers:
-  - "Access-Control-Allow-Origin:*"
-  - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
-  - "Access-Control-Max-Age:86400"
+rate_limit: 500000
+x4xx_limit: 100000
+#server_headers:
+#  - "Y-Global-Something: Yes this is something"
+#client_headers:
+#  - "Access-Control-Allow-Origin:*"
+#  - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
+#  - "Access-Control-Max-Age:86400"
+#  - "Strict-Transport-Security:max-age=31536000; includeSubDomains; preload"
 #authorization:
-#  type: "jwt"
-#  creds: "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774"
 #  type: "basic"
-#  creds: "username:Pa$$w0rd"
-#  type: "apikey"
-#  creds: "5ecbf799-1343-4e94-a9b5-e278af5cd313-56b45249-1839-4008-a450-a60dc76d2bae"
+#  data: "root:toor"
+#  type: "jwt"
+#  data: "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774"
+#    type: "apikey"
+#    data: "5ecbf799-1343-4e94-a9b5-e278af5cd313-56b45249-1839-4008-a450-a60dc76d2bae"
 consul:
   servers:
-    - "http://192.168.1.199:8500"
-    - "http://192.168.1.200:8500"
-    - "http://192.168.1.201:8500"
+    - "http://consul1:8500"
   services: # hostname: The hostname to access the proxy server, upstream : The real service name in Consul database.
-    - hostname: "webapi-service"
-      upstream: "webapi-service-health"
+    - hostname: "nconsul"
+      upstream: "nginx-consul-NginX-health"
       path: "/one"
       client_headers:
         - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
         - "X-Proxy-From:Aralez"
       rate_limit: 1
       to_https: false
-    - hostname: "webapi-service"
-      upstream: "webapi-service-health"
+    - hostname: "nconsul"
+      upstream: "nginx-consul-NginX-health"
       path: "/"
   token: "8e2db809-845b-45e1-8b47-2c8356a09da0-a4370955-18c2-4d6e-a8f8-ffcc0b47be81" # Consul server access token, If Consul auth is enabled
 kubernetes:
   servers:
-    - "192.168.1.55:443" #For testing only, overrides with KUBERNETES_SERVICE_HOST : KUBERNETES_SERVICE_PORT_HTTPS env variables.
+    - "172.16.0.11:5443" # Gets KUBERNETES_SERVICE_HOST : KUBERNETES_SERVICE_PORT_HTTPS env variables.
   services:
-    - hostname: "webapi-service"
+    - hostname: "api-service-v2"
+      upstream: "api-service-v2"
       path: "/"
-      upstream: "webapi-service"
-    - hostname: "webapi-service"
+    - hostname: "api-service-v2"
       upstream: "console-service"
       path: "/one"
       client_headers:
@@ -51,71 +49,146 @@ kubernetes:
         - "X-Proxy-From:Aralez"
       rate_limit: 100
       to_https: false
-    - hostname: "webapi-service"
-      upstream: "rambul-service"
+    - hostname: "api-service-v2"
+      upstream: "feed-fanout-service"
       path: "/two"
     - hostname: "websocket-service"
       upstream: "websocket-service"
       path: "/"
-  tokenpath: "/path/to/kubetoken.txt" #If not set, will default to /var/run/secrets/kubernetes.io/serviceaccount/token
+  tokenpath: "/opt/Rust/Projects/asyncweb/etc/kubetoken.txt" # Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token
 upstreams:
-  myip.mydomain.com:
+  myip.netangels.net:
     paths:
       "/":
-        rate_limit: 200
-        x4xx_limit: 100
-        to_https: false
+        #        rate_limit: 50
+        #        x4xx_limit: 100
+        #        to_https: false
+        #        authorization:
+        #          type: "basic"
+        #          data: "root:toor"
+        server_headers:
+          - "Y-Proxy-Server-Some:Yaaaaaaaaaaaaaaa"
+          - "Y-Proxy-Server-From:Aralez"
+          - "Y-Proxy-Server-Vers:Aralez v0.89"
         client_headers:
-          - "X-Proxy-From:Aralez"
+          - "X-Proxy-From:Aralezzzzzzzzzzz"
+          - "X-Hopar-From:Hopaaaaaaaaaaaar"
+          - "X-Proxy-Some:X-Proxy-Somebody"
         servers:
           - "127.0.0.1:8000"
           - "127.0.0.2:8000"
           - "127.0.0.3:8000"
           - "127.0.0.4:8000"
           - "127.0.0.5:8000"
+          - "192.168.1.1:8000"
       "/ping":
-        authorization: # Will be ignored if global authentication is enabled.
-          type: "basic"
-          creds: "admin:admin"
         to_https: false
-        server_headers:
-          - "X-Forwarded-Proto:https"
-          - "X-Forwarded-Port:443"
         client_headers:
           - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
           - "X-Proxy-From:Aralez"
         servers:
           - "127.0.0.1:8000"
           - "127.0.0.2:8000"
-      "/draw":
-        servers:
-          - "192.168.1.1:8000"
-  polo.mydomain.com:
-    paths:
-      "/":
+      "/pong":
         to_https: false
         client_headers:
           - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
+          - "X-Proxy-From:Aralez"
         servers:
-          - "192.168.1.1:8000"
-          - "192.168.1.10:8000"
           - "127.0.0.1:8000"
-          - "127.0.0.2:8000"
-          - "127.0.0.3:8000"
-          - "127.0.0.4:8000"
-  apt.mydomain.com:
+      "/secret":
+        authorization:
+          type: "forward"
+          data: "http://192.168.1.1:8899/admin/login"
+          #data: "https://netangels.net/admin/login"
+        servers:
+          - "192.168.1.10:8000"
+  netangels.net:
     paths:
       "/":
+        redirect_to: "https://www.netangels.net:6194"
         servers:
-          - "192.168.1.10:443"
+          - "192.168.1.1:80"
+  www.netangels.net:
+    paths:
+      "/":
+        to_https: true
+        servers:
+          - "192.168.1.1:80"
+  apt.netangels.net:
+    paths:
+      "/":
+        server_headers:
+          - "Y-Global-Something: Yes this is something"
+        client_headers:
+          - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
+        rate_limit: 60
+        x4xx_limit: 30
+        #authorization:
+        #  type: "jwt"
+        #  data: "SOMETHING"
+        servers:
+          - "127.0.0.1:8000"
+          - "127.0.0.2:8000"
       "/.well-known/acme-challenge":
         healthcheck: false
         servers:
           - "127.0.0.1:8001"
-  rdr.mydomain.com:
-    paths:
-      "/":
-        redirect_to: "https://som.other.domain:6194"
+      "/400":
+        rate_limit: 4
+        x4xx_limit: 2
+        servers:
+          - "192.168.1.1:8899"
+      "/500":
         healthcheck: false
         servers:
-          - "127.0.0.1:8080"
+          - "192.168.1.1:8899"
+  #  grafanalocal:
+  #    paths:
+  #      "/":
+  #        healthcheck: false
+  #        servers:
+  #          - "95.211.203.222:443"
+  #      "/.well-known/acme-challenge":
+  #        healthcheck: false
+  #        servers:
+  #          - "127.0.0.1:8001"
+  localpost:
+    paths:
+      "/":
+        to_https: true
+        servers:
+          - "127.0.0.1:9000"
+  #  192.168.177.2:
+  #    paths:
+  #      "/":
+  #        servers:
+  #          - "127.0.0.1:8000"
+  ara.matyan.org:
+    paths:
+      "/":
+        servers:
+          - "127.0.0.1:8000"
+      "/.well-known/acme-challenge":
+        healthcheck: false
+        servers:
+          - "127.0.0.1:3000"
+  aro.matyan.org:
+    paths:
+      "/":
+        servers:
+          - "127.0.0.1:8000"
+      "/.well-known/acme-challenge":
+        healthcheck: false
+        servers:
+          - "127.0.0.1:3000"
+  DEFAUwLT:
+    paths:
+      "/":
+        healthcheck: false
+        servers:
+          - "127.0.0.1:3000"
+      "/.well-known/acme-challenge":
+        healthcheck: false
+        servers:
+          - "127.0.0.1:3000"

src/main.rs

@@ -3,10 +3,14 @@ mod utils;
 mod web;
 
 #[global_allocator]
-// static ALLOC: Jemalloc = Jemalloc;
 static GLOBAL: mimalloc::MiMalloc = mimalloc::MiMalloc;
 // pub static A: CountingAllocator = CountingAllocator;
 
 fn main() {
+    if std::env::args().any(|a| a == "--version" || a == "-v") {
+        println!("aralez {}", env!("CARGO_PKG_VERSION"));
+        std::process::exit(0);
+    }
+
     web::start::run();
 }

src/utils/structs.rs

@@ -130,6 +130,9 @@ pub struct AppConfig {
     pub runuser: Option<String>,
     pub rungroup: Option<String>,
     pub log_file: Option<String>,
+    pub tcp_keepalive_idle: Option<u64>,
+    pub tcp_keepalive_interval: Option<u64>,
+    pub tcp_keepalive_count: Option<usize>,
 }
 
 #[derive(Debug, Default, Clone, PartialEq, Eq, Hash)]

src/utils/tools.rs

@@ -274,7 +274,7 @@ pub fn drop_priv(user: String, group: String, http_addr: String, tls_addr: Optio
 }
 
 pub fn check_priv(addr: &str) {
-    let port = SocketAddr::from_str(addr).map(|sa| sa.port()).unwrap();
+    let port = SocketAddr::from_str(addr).map(|sa| sa.port()).expect("Failed to parse address port ");
     if port < 1024 {
         let meta = std::fs::metadata("/proc/self").map(|m| m.uid()).unwrap();
         if meta != 0 {

src/web/proxyhttp.rs

@@ -177,6 +177,20 @@ impl ProxyHttp for LB {
                         peer.options.verify_cert = false;
                         peer.options.verify_hostname = false;
                     }
+                    /*
+                    Experimental optionsv
+                    The following TCP optimizations were tested but caused performance degrade under heavy load:
+                    peer.options.tcp_keepalive = Some(TcpKeepalive {
+                        idle: Duration::from_secs(60),
+                        interval: Duration::from_secs(10),
+                        count: 5,
+                        user_timeout: Duration::from_secs(30),
+                    });
+
+                    peer.options.idle_timeout = Some(Duration::from_secs(300));
+                    peer.options.tcp_recv_buf = Some(128 * 1024);
+                    End of experimental options
+                    */
                     if let Some(_) = ctx.extraparams.sticky_sessions {
                         let mut s = String::with_capacity(64);
                         write!(

src/web/start.rs

@@ -10,7 +10,9 @@ use dashmap::DashMap;
 use log::info;
 use pingora::tls::ssl::{SslAlert, SslRef};
 use pingora_core::listeners::tls::TlsSettings;
+use pingora_core::listeners::TcpSocketOptions;
 use pingora_core::prelude::{background_service, Opt};
+use pingora_core::protocols::TcpKeepalive;
 use pingora_core::server::Server;
 use privdrop::reexports::libc::SIGQUIT;
 use sd_notify::NotifyState;
@@ -62,12 +64,34 @@ pub fn run() {
     info!("TLS grade set to: [ {} ]", grade);
 
     let bg_srvc = background_service("bgsrvc", lb.clone());
-    let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
     let bind_address_http = cfg.proxy_address_http.clone();
     let bind_address_tls = cfg.proxy_address_tls.clone();
 
+    let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
+
     check_priv(bind_address_http.as_str());
 
+    // let mut tcp_options: Option<TcpSocketOptions> = Some(TcpSocketOptions::default());
+    // let mut tcp_options = TcpSocketOptions::default();
+
+    let mut tcp_options: Option<TcpSocketOptions> = None;
+    if let Some(idle) = cfg.tcp_keepalive_idle {
+        let mut to = TcpSocketOptions::default();
+        to.tcp_keepalive = Some(TcpKeepalive {
+            idle: Duration::from_secs(idle),
+            interval: Duration::from_secs(cfg.tcp_keepalive_interval.unwrap_or(60)),
+            user_timeout: Default::default(),
+            count: cfg.tcp_keepalive_count.unwrap_or(5usize),
+        });
+        tcp_options = Some(to);
+        info!(
+            "Applying kernel tcp_keepalive parameters: idle {}, interval {}, count {}",
+            idle,
+            cfg.tcp_keepalive_interval.unwrap_or(60),
+            cfg.tcp_keepalive_count.unwrap_or(5),
+        );
+    }
+
     if let Some(bind_address_tls) = bind_address_tls {
         check_priv(bind_address_tls.as_str());
         let (tx, rx): (Sender<Vec<CertificateConfig>>, Receiver<Vec<CertificateConfig>>) = channel();
@@ -95,7 +119,14 @@ pub fn run() {
         tls_settings.set_servername_callback(move |ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert| certs_for_callback.load().server_name_callback(ssl_ref, ssl_alert));
         tls_settings.set_alpn_select_callback(grades::prefer_h2);
 
-        proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
+        proxy.add_tls_with_settings(&bind_address_tls, tcp_options.clone(), tls_settings);
+
+        // if let Some(to) = tcp_options.clone() {
+        //     proxy.add_tls_with_settings(&bind_address_tls, Some(to.clone()), tls_settings);
+        // } else {
+        //     proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
+        // }
+        // proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
 
         let certs_for_watcher = certificates.clone();
         thread::spawn(move || {
@@ -107,8 +138,13 @@ pub fn run() {
             }
         });
     }
-    info!("Running HTTP listener on :{}", bind_address_http.as_str());
-    proxy.add_tcp(bind_address_http.as_str());
+    info!("Running HTTP listener on :{}", bind_address_http);
+    if let Some(tc) = tcp_options {
+        proxy.add_tcp_with_settings(&bind_address_http, tc);
+    } else {
+        proxy.add_tcp(&bind_address_http)
+    }
+
     server.add_service(proxy);
     server.add_service(bg_srvc);
     thread::spawn(move || server.run_forever());

src/web/webserver.rs

@@ -18,6 +18,8 @@ use prometheus::{gather, Encoder, TextEncoder};
 use serde::Serialize;
 use signal_hook::{consts::SIGQUIT, iterator::Signals};
 use std::collections::HashMap;
+use std::net::SocketAddr;
+use std::str::FromStr;
 use std::sync::Arc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use tokio::net::TcpListener;
@@ -67,16 +69,14 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
 
     let mut static_handle: Option<tokio::task::JoinHandle<()>> = None;
     if let (Some(address), Some(folder)) = (&config.file_server_address, &config.file_server_folder) {
-        port_is_available("File Server", &address).await;
+        let static_listen = port_is_available("File Server", &address).await;
         let static_files = ServeDir::new(folder);
         let static_serve: Router = Router::new().fallback_service(static_files);
-        let static_listen = TcpListener::bind(address).await.unwrap();
         // drop(tokio::spawn(async move { axum::serve(static_listen, static_serve).await.unwrap() }));
         static_handle = Some(tokio::spawn(async move { axum::serve(static_listen, static_serve).await.unwrap() }))
     }
 
-    port_is_available("Config API", &config.address).await;
-    let listener = TcpListener::bind(config.address.clone()).await.unwrap();
+    let listener = port_is_available("Config API", &config.address).await;
     info!("Starting the API server on: {}", config.address);
     let api_server = tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
 
@@ -227,20 +227,19 @@ async fn status(State(st): State<AppState>, Query(params): Query<HashMap<String,
         .unwrap()
 }
 
-pub async fn port_is_available(name: &str, address: &str) {
-    let addr_port = address.split(":").collect::<Vec<&str>>();
+pub async fn port_is_available(name: &str, address: &str) -> TcpListener {
+    let addr = SocketAddr::from_str(address)
+        .unwrap_or_else(|e| panic!("{}: Invalid address format: {:?}", name, e));
     let t = Duration::from_secs(2);
 
-    let mut a = addr_port[0];
-    if address == "0.0.0.0" {
-        a = "127.0.0.1";
-    }
-    let p = addr_port[1].parse::<u16>().unwrap();
-
+    //if addr.ip() == IpAddr::V4(Ipv4Addr::UNSPECIFIED) {
+    //    addr.set_ip(IpAddr::V4(Ipv4Addr::LOCALHOST));
+    //}
+    let p = addr.port();
     loop {
-        match TcpListener::bind((a, p)).await {
-            Ok(_) => {
-                break;
+        match TcpListener::bind(addr).await {
+            Ok(listener) => {
+                return listener;
             }
             Err(_) => {
                 warn!("{} port is not available: {} will try again in {:?}", name, p, t);