[PATCH] Mail: add the "reuseport" option of the "listen" directive

Robert Mueller robm at fastmail.fm
Wed Aug 18 14:28:59 UTC 2021

> Could you please test if compiling with 
> --with-cc-opt="-DNGX_HAVE_EPOLLEXCLUSIVE=0" 
> improves things, notably on production systems?  In my limited 
> testing it seems to be improve things, and if this is indeed the 
> case, we can consider removing use of EPOLLEXCLUSIVE.

I can try this tomorrow, but did you see the link Jan posted to the cloudflare blog?


This explains the problem we're seeing exactly and why reuseport fixes it.

> > As you can see, without the reuseport option, this causes severe 
> > scalability problems for us.
> I tend to think that reuseport is a bad option for load balancing 
> between worker processes, as it can be easily tricked by an outside 
> actor to select a particular worker process, and this opens an 
> obvious DoS attack vector.

Really? Can you explain how this is possible?

Also given that cloudflare use this option, and I expect cloudflare are literally the largest users of nginx in the world and also have to deal with extreme adversarial environments given they run a service to protect against DDoS, I would expect they would be aware of any potential DoS vector in this regard, or if not aware, extremely interested in hearing about it!

Rob Mueller
robm at fastmail.fm

More information about the nginx-devel mailing list