Mitigating web attacks with Varnish

I’ve been a Varnish user and enthusiast for quite some time, ever since the 1.x days. Perhaps also because of my FreeBSD bias.

Performance-wise, Varnish has always been a treat, successfully replacing expensive solutions from big vendors like BlueCoat (who also run a modified FreeBSD) or Crescendo Networks. Tie it to OpenBSD’s packet filter and the nginx web server and you get an excellent HTTP stack.

A couple of days ago, while I was mangling HTTP headers inside Varnish in order to prevent web attacks, it occured to me that somebody might have put together something more consistent than my quick’n dirty setup. And indeed, it’s all there, in Kacper Wysocki’s GitHub repository.

Bookmark and Share

kqueue(2) support for JDK/OpenJDK on FreeBSD

David Xu of FreeBSD fame has recently added support for kqueue(2) to Java. Both Sun and OpenJDK ports have been patched. Although not yet enabled by default, this should definitely give a boost to applications relying on NIO. It would be interesting to see how Openfire scales with this. However, they already have a NIO-like API implemented on top of MINA. Right now I wish it hadn’t been so long since I last touched Java.

Apple’s Java distribution has been supporting it for quite a while, but apparently their kqueue(2) is broken, according to several reports I’ve found on various mailing lists, particularly when watching descriptors associated to files. I’ve only used it with sockets, so I can’t complain.

kqueue is by far my favorite I/O multiplexing API. Besides storing user data in the kevent structure (which I usually use for storing callbacks or object pointers), it also submits and retrieves multiple events in a single system call. I’ve always wondered why epoll(4) in Linux didn’t use a similar approach.

Bookmark and Share