Socket5 getting started, socket5
Official Website: http://ss5.sourceforge.net/
Scenario Description
In the development of payment projects, for security reasons, the network segment deployed by the App cannot directly access the public network. Therefore, technical means are required to allow the App to access the public network.
I tried several methods, each of which has its own advantages and disadvantages:
Nginx forwarding. The disadvantage is that the certificate is not transmitted to a third party and is unacceptable;
RINETD forwarding. The disadvantage is that it can only be forwarded to a fixed IP address and is unacceptable;
The disadvantage of configuring routing rules is that it will affect the routing of the entire machine and is not sure whether the routing is secure or reliable;
The disadvantage of Socket5 proxy is that you need to modify the code, but you can proxy Http/Https/Ftp and so on to meet the requirements.
Install SS5
About SS5 installation process, there are many tutorials on the internet, do not go into details, for example, you can refer to this URL: http://lxsym.blog.51cto.com/1364623/769691.
SS5 stress testing
Network Monitoring Method
The dstat command represents the receive/send. It seems that receive is the number of bytes received, * 8 is the bandwidth, and send is not the number of bytes sent by the machine to the Internet, therefore, it is not required to determine the sending and receiving traffic;
Iftop command, in the experimental scenario (about 4 baidu homepage requests per second, the received traffic is about KB * 4), displays the sent and received traffic, the traffic sent and received per second is basically the same as that calculated by the program. Therefore, this command is used to determine the network traffic.
SS5 logs
1. STARTED and TERMINATED are paired to indicate the start and end of a connection.
[08/Apr/2015: 19: 46: 57 CST] [1035835136] 10.10.96.106 "CONNECT" STARTED 0 0 0 0 (10.10.96.106: 55389-> 220.181.112.244: 80)
[08/Apr/2015: 19: 48: 03 CST] [1035835136] 10.10.96.106 "CONNECT" TERMINATED 23189 352 66 (10.10.96.106: 55389-> 220.181.112.244: 80)
2. Not every proxy request is recorded
When we access the public network, a Socket request (Client: IP + Port and Server: IP + Port) will last for a long time, so it will not be reused within 1 second, therefore, logs can be basically recorded;
When we test to access an intranet URL, a few hundred successful Socket requests are completed within one second, many of which are reused. For the "Client: IP + Port and Server: the IP + Port is the same Socket, and SS5 is considered to be one, with only one line of log;
In this case, it can be explained that when accessing an intranet URL, there are only several hundred lines of logs for thousands of successful requests.
We consider the above two log scenarios as normal.
3. Socks method unknown or bad request
Telnet port 1080, input characters; or F5 heartbeat detection port 1080, this log will be continuously reported. This should be filtered out through better configuration.
Performance indicators
In the case of high concurrency, the Socket connection is not normally released in time, or the critical value is reached. The following error is reported.
The log reports the following error (screen FLUSHING ):
[08/Apr/2015: 16: 06: 23 CST] [0] [ERRO] $ S5ServerAccept $: (Too supports open files ).
[08/Apr/2015: 16: 06: 23 CST] [1916823296] [ERRO] $ S5GetClientInfo $: (Bad file descriptor ).
The program reports the following error:
Java.net. SocketException: SOCKS server general failure
At java.net. SocksSocketImpl. connect (SocksSocketImpl. java: 526)
At java.net. Socket. connect (Socket. java: 529)
At sun.net. NetworkClient. doConnect (NetworkClient. java: 158)
At sun.net. www. http. HttpClient. openServer (HttpClient. java: 411)
At sun.net. www. http. HttpClient. openServer (HttpClient. java: 525)
At sun.net. www. http. HttpClient. <init> (HttpClient. java: 208)
At sun.net. www. http. HttpClient. New (HttpClient. java: 291)
At sun.net. www. http. HttpClient. New (HttpClient. java: 310)
At sun.net. www. protocol. http. HttpURLConnection. getNewHttpClient (HttpURLConnection. java: 987)
At sun.net. www. protocol. http. HttpURLConnection. plainConnect (HttpURLConnection. java: 966)
At sun.net. www. protocol. http. HttpURLConnection. connect (HttpURLConnection. java: 841)
At cl. an. HttpConn. run (HttpSocketPressTest. java: 188)
At java. util. concurrent. Executors $ RunnableAdapter. call (Executors. java: 439)
At java. util. concurrent. FutureTask $ Sync. innerRun (FutureTask. java: 303)
At java. util. concurrent. FutureTask. run (FutureTask. java: 138)
At java. util. concurrent. ThreadPoolExecutor $ Worker. runTask (ThreadPoolExecutor. java: 895)
At java. util. concurrent. ThreadPoolExecutor $ Worker. run (ThreadPoolExecutor. java: 918)
At java. lang. Thread. run (Thread. java: 662)
Performance Test Results:
|
Socket connection count-normal critical value (approx) |
Socket connection count-critical exception threshold (approx) |
After the exception critical value is reached |
Openfiles-1024 |
450 |
550 |
Only 200 threads are retained for the reported Bug. The Bug will return to normal after 35 seconds. |
Openfiles-4096 |
2000 |
2100-2500 |
First case: Ss5 stops abnormally and cannot be restored: service ss5 status. You can see: Ss5 is dead, but the subsys is locked. Sometimes it will report: *** glibc detected ***/usr/sbin/ss5: free (): invalid pointer: 0x00007f693c0207e0 *** Case 2: Too program open files mentioned in the report, with only 200 threads retained and restored in 10 seconds; |
Openfiles-65536 |
The result is similar to openfiles-4096. |
|
|
Based on our test results, the virtual machine 10.100.140.85 (4 CPUs, 6 GB memory) can be considered as a maximum of 2000 concurrent connections.
The official website's performance indicator is: IBM X360, supporting 2500 concurrent jobs.
Command for viewing the number of Socket connections: netstat-napo | grep 1080 | wc-l
Run the command vim/etc/security/limits to view the maximum number of files opened at the same time. conf, you need to open a new terminal, ulimit-n, confirm that it takes effect, service ss5 restart, will take effect in ss5.
Reference URL:
Http://www.codesky.net/article/201105/161796.html
Http://www.justwinit.cn/post/6482/
Http://blog.csdn.net/leili0806/article/details/7534985
Stress Test Results
Access www.baidu.com (page size: 135KB)
1. Due to bandwidth restrictions (measured and obtained public bandwidth, only about m-2 m), on average, only 10-20 successful Http requests may be returned per second.
2. java.net. SocketTimeoutException: Read timed out: this is because the network bandwidth does not Read data from the stream during the Timeout time. This is normal because of the network. This problem occurs when Socket5 proxy is not used.
3. java.net. ConnectException: Connection timed out: connect: is also the network reason. No Connection to the remote server is successful within the Timeout time. This is normal because of the network. This problem occurs when Socket5 proxy is not used.
4. java.net. SocketException: Connection reset: suspected to be the cause of remote server.
5. The test is as follows:
Iftop:
Dstat:
6. During the test, watch-n1-d 'netstat-an | grep 100' is completely normal, and the SS5 service itself has no pressure.
7. Test results:
A and 3 machines each have 100 concurrent threads with a success rate of 85%, 65%, and 67% respectively. The cause of failure is basically Read timee out, that is, 30 seconds cannot completely read all returned data from the network input stream.
B. One machine has 100 concurrent jobs with a success rate of about 98%.
URL
You can run a bandwidth of about 50-60 M, with an average of 250 successful responses per second. The success rate is 100%, as shown below:
Iftop:
Dstat:
Conclusion
- The SS5 service itself is under great pressure. After ulimit-n is optimized, it supports about 2000 concurrency.
- SS5 provides sufficient bandwidth. The smaller the requested file, the better the network, and more successful responses are supported.