funwithlinux blog

Should We Use Multiple Acceptor Sockets for Large Connections? SO_REUSEPORT Benefits & NGINX Case Study

In the era of cloud computing, microservices, and high-traffic web applications, handling millions of concurrent connections is no longer a niche requirement—it’s a baseline expectation. Whether you’re running a web server, a database proxy, or a real-time communication platform, the efficiency of your network stack directly impacts scalability, latency, and user experience.

At the heart of connection handling lies the acceptor socket—the socket that listens for incoming TCP connections and hands them off to worker processes/threads for processing. For decades, the standard approach was to use a single acceptor socket bound to a port. But as connection volumes skyrocket, this design has revealed critical bottlenecks.

This blog explores whether multiple acceptor sockets are the solution to scaling under heavy load. We’ll dive into the SO_REUSEPORT socket option, its benefits, and analyze how NGINX—one of the world’s most popular web servers—leverages it to handle massive traffic. By the end, you’ll understand when and why multiple acceptor sockets (powered by SO_REUSEPORT) are transformative for large-scale systems.

2026-01

Table of Contents#

  1. Understanding Acceptor Sockets: The Gatekeepers of Connections
  2. The Problem with Single Acceptor Sockets: Bottlenecks Under Load
  3. What is SO_REUSEPORT? A Game-Changer for Multi-Socket Binding
  4. Key Benefits of SO_REUSEPORT for Large Connections
  5. NGINX Case Study: How SO_REUSEPORT Eliminated Scalability Limits
  6. When to Use Multiple Acceptor Sockets (and When Not To)
  7. Conclusion: Multiple Acceptors as a Scalability Catalyst
  8. References

1. Understanding Acceptor Sockets: The Gatekeepers of Connections#

Before diving into multiple acceptors, let’s clarify what an acceptor socket is and how it works in a typical server architecture.

The Role of Acceptor Sockets#

In TCP, a server starts by creating a listening socket (often called an "acceptor socket") using the socket() system call. This socket is then bound to a specific port with bind(), and put into listening mode with listen(), where it waits for incoming connection requests.

When a client sends a SYN packet to initiate a connection, the kernel queues the request in the listening socket’s "backlog." The server then calls accept() to extract a completed connection (after the TCP three-way handshake) from this queue and pass it to a worker for processing.

Traditional Single-Acceptor Workflow#

Historically, servers used a single acceptor socket for a given port. Even in multi-process/threaded servers (e.g., NGINX with multiple worker processes), all workers shared this single acceptor. To avoid race conditions, workers would synchronize access to accept() using a mutex or lock, ensuring only one worker called accept() at a time.

2. The Problem with Single Acceptor Sockets: Bottlenecks Under Load#

While a single acceptor works for low-to-moderate traffic, it becomes a critical bottleneck at scale. Let’s break down the issues:

2.1 The "Thundering Herd" Problem#

When multiple workers wait to call accept() on a single socket, the kernel wakes all waiting workers when a new connection arrives—a phenomenon known as the "thundering herd." Most workers immediately find no connection to accept and go back to sleep, wasting CPU cycles on context switches and wake-ups. This inefficiency grows with the number of workers, degrading performance.

2.2 Mutex Contention#

To mitigate the thundering herd, servers like NGINX historically used a mutex to serialize accept() calls: only one worker could hold the mutex and call accept() at a time. While this reduced wake-ups, it introduced a new bottleneck: contention for the mutex. As connection rates increased, workers spent more time waiting for the lock, limiting throughput.

2.3 CPU Cache Inefficiency#

A single acceptor socket is shared across all workers, meaning the kernel and application-level data structures (e.g., socket buffers, backlog queues) are accessed by multiple CPU cores. This leads to cache line invalidation—when one core modifies data in a cache line, other cores must reload it from main memory, slowing down access.

2.4 Scalability Limits#

With a single acceptor, the maximum connection rate is capped by the speed at which a single thread/process can call accept(), even on multi-core systems. Adding more CPU cores doesn’t help because the acceptor remains a centralized bottleneck.

Table 1: Limitations of Single Acceptor Sockets

IssueImpactExample
Thundering HerdWasted CPU cycles, higher latency10 workers wake for 1 connection; 9 idle.
Mutex ContentionThroughput capped by lock acquisition speedWorkers spend 30% of CPU waiting for the mutex.
Cache InvalidationSlower access to socket data structuresShared backlog queue invalidates L3 cache.

3. What is SO_REUSEPORT? A Game-Changer for Multi-Socket Binding#

To address the single-acceptor bottlenecks, the SO_REUSEPORT socket option was introduced in Linux 3.9 (2013), followed by support in FreeBSD, macOS, and other Unix-like systems.

Core Idea#

SO_REUSEPORT allows multiple sockets to bind to the same IP:port combination simultaneously. Each socket can be managed by a separate process or thread, and the kernel distributes incoming connections directly to these sockets, eliminating the need for a shared acceptor.

How SO_REUSEPORT Works#

  1. Binding Multiple Sockets: Each worker process creates its own listening socket, sets SO_REUSEPORT, and binds it to the same port.
  2. Kernel-Level Load Distribution: The kernel’s TCP stack uses a hash-based distributor to route incoming connections to one of the bound sockets. The hash is typically computed from the source IP, source port, destination IP, and destination port, ensuring that connections from the same client are consistently routed to the same socket (improving cache locality).
  3. Per-Socket Accept Queues: Each socket has its own backlog queue, so workers call accept() on their private socket without contention.

SO_REUSEPORT vs. SO_REUSEADDR#

It’s critical to distinguish SO_REUSEPORT from the older SO_REUSEADDR option:

  • SO_REUSEADDR: Allows rebinding to a port in TIME_WAIT state (e.g., after a server restart) but does not support multiple concurrent listeners on the same port.
  • SO_REUSEPORT: Explicitly allows multiple sockets to bind to the same port, enabling parallel acceptors.

4. Key Benefits of SO_REUSEPORT for Large Connections#

SO_REUSEPORT solves the single-acceptor bottlenecks by distributing connections across multiple sockets. Here are its core advantages:

4.1 Eliminates the Thundering Herd#

The kernel routes each incoming connection to exactly one socket (and thus one worker), so only the target worker is woken. This eliminates unnecessary wake-ups and CPU waste.

4.2 No Mutex Contention#

With dedicated sockets per worker, there’s no need for a shared mutex. Workers call accept() on their private socket without blocking, maximizing throughput.

4.3 Improved CPU Cache Locality#

Each socket is tied to a specific worker (and thus a CPU core). Socket buffers, backlog queues, and application state remain in the core’s CPU cache, reducing cache misses and speeding up accept() operations.

4.4 Linear Scalability Across Cores#

By distributing connections across sockets (and cores), SO_REUSEPORT enables linear scaling of connection rates with the number of CPU cores. Adding more workers (one per core) directly increases throughput.

4.5 Simplified Application Design#

Developers no longer need to implement complex load-balancing logic between workers (e.g., inter-process communication to distribute connections). The kernel handles distribution, reducing code complexity.

Table 2: Single Acceptor vs. SO_REUSEPORT Comparison

MetricSingle AcceptorSO_REUSEPORT
Connection DistributionCentralized (mutex/lock)Kernel-managed (hash-based)
CPU OverheadHigh (thundering herd, mutex)Low (no wake-ups, no locks)
ScalabilityCapped by single socketLinear with CPU cores
Cache EfficiencyPoor (shared data)Excellent (per-core sockets)

5. NGINX Case Study: How SO_REUSEPORT Eliminated Scalability Limits#

NGINX, a high-performance web server and reverse proxy, is a prime example of how SO_REUSEPORT transforms scalability. Let’s walk through its evolution.

Pre-SO_REUSEPORT NGINX: The Mutex Bottleneck#

NGINX uses a multi-process model, with one master process and multiple worker processes (typically one per CPU core). Before SO_REUSEPORT support (pre-1.9.1, 2015), all workers shared a single acceptor socket. To avoid the thundering herd, NGINX used a global mutex to serialize accept() calls:

  1. Workers would block on the mutex, waiting for access to the acceptor.
  2. The worker with the mutex called accept() to fetch a connection.
  3. The mutex was released, and the next worker in line acquired it.

While this worked for moderate traffic, at high connection rates (e.g., 100k+ connections per second), the mutex became a critical bottleneck. Benchmarks showed that NGINX’s connection rate plateaued even with more workers, as time spent waiting for the mutex dominated CPU usage.

Post-SO_REUSEPORT NGINX: Parallel Acceptors#

In 2015, NGINX 1.9.1 introduced support for SO_REUSEPORT via the reuseport directive in the listen configuration. Here’s how it works:

5.1 Configuration Example#

http {
    server {
        listen 80 reuseport;  # Enable SO_REUSEPORT for port 80
        server_name example.com;
        ...
    }
}

With reuseport, each NGINX worker process creates its own acceptor socket and binds it to port 80. The kernel distributes incoming connections across these sockets, one per worker.

5.2 Performance Improvements#

NGINX’s own benchmarks (and third-party tests) showed dramatic gains with SO_REUSEPORT:

  • Connection Rate: Up to 2x higher throughput for HTTPS connections (TLS handshake processing is CPU-intensive, and per-core sockets reduced cache contention).
  • Latency: P99 latency dropped by ~30% under high load, as workers spent less time waiting for mutexes.
  • Scalability: Linear scaling with the number of CPU cores. Adding workers (e.g., from 4 to 8 cores) directly increased connection rates by ~100%.

5.3 Why It Worked#

  • No More Mutex Contention: Workers no longer fought for a shared lock, freeing CPU cycles for actual connection processing.
  • Per-Core Affinity: NGINX pins workers to specific CPU cores, ensuring each socket’s backlog and buffers stay in the core’s cache, reducing latency.
  • Kernel-Level Distribution: The Linux kernel’s SO_REUSEPORT implementation uses a hash of source/destination IP:port to distribute connections, ensuring fairness and reducing out-of-order packets for persistent connections.

6. When to Use Multiple Acceptor Sockets (and When Not To)#

While SO_REUSEPORT is powerful, it’s not a silver bullet. Here’s when to adopt it—and when to stick with a single acceptor:

When to Use SO_REUSEPORT:#

  • High Connection Rates: If your server handles 10k+ connections per second (e.g., web servers, API gateways), SO_REUSEPORT will eliminate acceptor bottlenecks.
  • Multi-Core Systems: On servers with 4+ CPU cores, SO_REUSEPORT enables linear scaling by utilizing all cores.
  • CPU-Bound Workloads: Applications with high CPU usage per connection (e.g., TLS termination, compression) benefit from per-core cache locality.

When to Avoid SO_REUSEPORT:#

  • Low Traffic: For small-scale apps (e.g., internal tools with <1k connections/sec), the overhead of managing multiple sockets may outweigh benefits.
  • Legacy Kernels: Systems running Linux <3.9, FreeBSD <10.0, or macOS <10.10 lack SO_REUSEPORT support.
  • Stateful Protocols Requiring Affinity: Protocols where a client must connect to the same worker (e.g., sticky sessions without external load balancing). While SO_REUSEPORT uses hash-based distribution (which is consistent for a client), some edge cases (e.g., NAT) may break affinity.

7. Conclusion: Multiple Acceptors as a Scalability Catalyst#

For systems handling large connections, the answer to "Should we use multiple acceptor sockets?" is a resounding yes—and SO_REUSEPORT is the key to making it work. By allowing multiple sockets to bind to the same port and distributing connections via the kernel, SO_REUSEPORT eliminates the thundering herd, mutex contention, and cache inefficiencies of single acceptors.

As demonstrated by NGINX, the result is linear scalability, lower latency, and simplified code. For modern servers, SO_REUSEPORT is no longer an optimization—it’s a necessity for meeting the demands of high-traffic, multi-core environments.

If you’re building a system that must scale to millions of connections, don’t overlook the humble acceptor socket. With SO_REUSEPORT, multiple acceptors can turn a bottleneck into a competitive advantage.

8. References#