Wait until these people learn about Disney's Secret Club 33. Membership is $100,000 not counting annual dues and the current waiting list is about 14 years. That's the only way into the unpublished tunnel that leads to the special underground rooms. Not even park security have access. The normies that know about it think it's just about drinking alcohol in the ground floor room.
I would rather avoid cipher fixation. Give me thousands of protocol / cipher / mac / mode combinations. Fixation only benefits nations wanting to crack something.
Agility benefits nations wanting to crack something, because they can force you to pick an insecure combination. This has happened in the real world several times before.
Adding to that, cryptography is just mathematical obfuscation and often repeated here is that security through obscurity is not security at all. I will stick with my own principals of not fixating on a cipher. The only people that benefit are lazy spooks.
Rather than what is accepted as the strongest ciphers I prefer ciphers not optimized by CPU's and GPU's. Spooks will have to cycle through every combination of protocol + cipher + mac + mode + passphrase + whatever other obfuscation I shim inside that tunnel. Keep 'em on their toes. Even better I will also cycle through these encoding methods [1] if I am in a good mood otherwise I will rot13 their ass and then force them to use a Drogan’s Decoder Wheel.
The recipient will get the forever chemicals, but they survive due to the blood transfer, so in a few weeks they can donate and get rid of the chemicals.
There are a few dozen countries that one can buy citizenship. Some require investing in something or starting their own business. Search for "countries that offer citizenship for money". Some places will pay for people to move their under certain conditions and lack of criminal history.
I've gone through this exercise on my own personal hobby nodes long ago. In my case I was just on an under-powered node for the load but I made sure my rewrite rules were optimized in the virtualserver config vs .htaccess and that I closed all rules with a final L to cease processing rules when matches were found. I also jacked up all the worker/server limits as high as I could go for the memory in the node this was a VPS node. Sendfile was 'on'. Anything I could do to keep anonymous users off the disk was important so I used tmpfs anywhere I could.
I also made sure all uses of a temp space were in tmpfs. I also maxed out all the /etc/security/limits.conf now set in systemd unit files limits and sysctl file limits to get them out of the way. Spikes of traffic can very briefly hit these limits and then everything just gets stuck and one has to wait for http and socket keep-alive timeouts. Oh right, and I also shortened http and socket keep-alive timeouts. If there are any proxy connections I used the same IP even if localhost many times on different ports to avoid port depletion time-wait assassination.
Probably the most important would be to share your rewrite rules on serverfault.com but one should expect some elitist a-hole responses and maybe one good genuine response. There may still be a few rewrite experts there. That would be the biggest gain.
If safe to do so, using 301 vs 302 can avoid some repeat hits if that is how you are redirecting.
I also kept an eye on ipcs -a to see if the semaphore counts were high or close to limits in sysctl.conf as apache uses or used this for sharing between the child processes.
Sometimes the problem can be just beyond apache and in socket timeouts due to time-wait exaustion but that would be obvious in dmesg and netstat -aeenp.
If the rewrite rules depend on DNS resolution then having a local instance of Unbound and increasing the min-ttl can help.
I hate to also suggest this but explain your load issue to several different AI's and paste your rewrite rules and ask for them to be optimized but dont get hopes up. They might turn your server into a bowl of petunias. Back everything up.
It's been a long time so I am trying to remember all the things I tried. These days if I have a lot of rewrites I do that in HAProxy or NGinx in maps but that's a bigger topic.
That's only just after midnight [1][2]
[1] - https://www.youtube.com/watch?v=XEjLoHdbVeE
[2] - https://unix.stackexchange.com/questions/405783/why-does-man...
reply