walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Remove --tls-ctx-per-worker option 

--tls-ctx-per-worker option does not work well of OCSP stapling.  Also
it makes session ID useless.
This commit is contained in:
Tatsuhiro Tsujikawa 2015-03-31 00:42:21 +09:00
parent 763293a050
commit 1442b1bd0a
4 changed files with 4 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/shrpx.cc
View File

@ -919,7 +919,6 @@ void fill_default_config() {
mod_config()->downstream_connections_per_host = 8; mod_config()->downstream_connections_per_host = 8;
mod_config()->downstream_connections_per_frontend = 0; mod_config()->downstream_connections_per_frontend = 0;
mod_config()->listener_disable_timeout = 0.; mod_config()->listener_disable_timeout = 0.;
mod_config()->tls_ctx_per_worker = false;
mod_config()->downstream_request_buffer_size = 16 * 1024; mod_config()->downstream_request_buffer_size = 16 * 1024;
mod_config()->downstream_response_buffer_size = 16 * 1024; mod_config()->downstream_response_buffer_size = 16 * 1024;
mod_config()->no_server_push = false; mod_config()->no_server_push = false;
@ -1197,14 +1196,6 @@ SSL/TLS:
while opening or reading a file, key is generated while opening or reading a file, key is generated
automatically and renewed every 12hrs. At most 2 keys automatically and renewed every 12hrs. At most 2 keys
are stored in memory. are stored in memory.
--tls-ctx-per-worker
Create OpenSSL's SSL_CTX per worker, so that no internal
locking is required. This may improve scalability with
multi threaded configuration. If this option is
enabled, session ID is no longer shared accross SSL_CTX
objects, which means session ID generated by one worker
is not acceptable by another worker. On the other hand,
session ticket key is shared across all worker threads.
--fetch-ocsp-response-file=<PATH> --fetch-ocsp-response-file=<PATH>
Path to fetch-ocsp-response script file. It should be Path to fetch-ocsp-response script file. It should be
absolute path. absolute path.
@ -1838,10 +1829,6 @@ int main(int argc, char **argv) {
// --rlimit-nofile // --rlimit-nofile
cmdcfgs.emplace_back(SHRPX_OPT_RLIMIT_NOFILE, optarg); cmdcfgs.emplace_back(SHRPX_OPT_RLIMIT_NOFILE, optarg);
break; break;
case 70:
// --tls-ctx-per-worker
cmdcfgs.emplace_back(SHRPX_OPT_TLS_CTX_PER_WORKER, "yes");
break;
case 71: case 71:
// --backend-response-buffer // --backend-response-buffer
cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_RESPONSE_BUFFER, optarg); cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_RESPONSE_BUFFER, optarg);
@ -1916,10 +1903,7 @@ int main(int argc, char **argv) {
} }
#ifndef NOTHREADS #ifndef NOTHREADS
std::unique_ptr<nghttp2::ssl::LibsslGlobalLock> lock; auto lock = make_unique<nghttp2::ssl::LibsslGlobalLock>();
if (!get_config()->tls_ctx_per_worker) {
lock = make_unique<nghttp2::ssl::LibsslGlobalLock>();
}
#endif // NOTHREADS #endif // NOTHREADS
if (get_config()->accesslog_syslog || get_config()->errorlog_syslog) { if (get_config()->accesslog_syslog || get_config()->errorlog_syslog) {

7
src/shrpx_config.cc
View File

@ -142,7 +142,6 @@ const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[] =
const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[] = "listener-disable-timeout"; const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[] = "listener-disable-timeout";
const char SHRPX_OPT_TLS_TICKET_KEY_FILE[] = "tls-ticket-key-file"; const char SHRPX_OPT_TLS_TICKET_KEY_FILE[] = "tls-ticket-key-file";
const char SHRPX_OPT_RLIMIT_NOFILE[] = "rlimit-nofile"; const char SHRPX_OPT_RLIMIT_NOFILE[] = "rlimit-nofile";
const char SHRPX_OPT_TLS_CTX_PER_WORKER[] = "tls-ctx-per-worker";
const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[] = "backend-request-buffer"; const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[] = "backend-request-buffer";
const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[] = "backend-response-buffer"; const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[] = "backend-response-buffer";
const char SHRPX_OPT_NO_SERVER_PUSH[] = "no-server-push"; const char SHRPX_OPT_NO_SERVER_PUSH[] = "no-server-push";
@ -1186,12 +1185,6 @@ int parse_config(const char *opt, const char *optarg) {
return 0; return 0;
} }
if (util::strieq(opt, SHRPX_OPT_TLS_CTX_PER_WORKER)) {
mod_config()->tls_ctx_per_worker = util::strieq(optarg, "yes");
return 0;
}
if (util::strieq(opt, SHRPX_OPT_NO_SERVER_PUSH)) { if (util::strieq(opt, SHRPX_OPT_NO_SERVER_PUSH)) {
mod_config()->no_server_push = util::strieq(optarg, "yes"); mod_config()->no_server_push = util::strieq(optarg, "yes");

2
src/shrpx_config.h
View File

@ -132,7 +132,6 @@ extern const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[];
extern const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[]; extern const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[];
extern const char SHRPX_OPT_TLS_TICKET_KEY_FILE[]; extern const char SHRPX_OPT_TLS_TICKET_KEY_FILE[];
extern const char SHRPX_OPT_RLIMIT_NOFILE[]; extern const char SHRPX_OPT_RLIMIT_NOFILE[];
extern const char SHRPX_OPT_TLS_CTX_PER_WORKER[];
extern const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[]; extern const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[];
extern const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[]; extern const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[];
extern const char SHRPX_OPT_NO_SERVER_PUSH[]; extern const char SHRPX_OPT_NO_SERVER_PUSH[];
@ -325,7 +324,6 @@ struct Config {
bool upstream_frame_debug; bool upstream_frame_debug;
bool no_location_rewrite; bool no_location_rewrite;
bool no_host_rewrite; bool no_host_rewrite;
bool tls_ctx_per_worker;
bool no_server_push; bool no_server_push;
// true if host contains UNIX domain socket path // true if host contains UNIX domain socket path
bool host_unix; bool host_unix;

18
src/shrpx_connection_handler.cc
View File

@ -123,25 +123,13 @@ void ConnectionHandler::create_worker_thread(size_t num) {
#ifndef NOTHREADS #ifndef NOTHREADS
assert(workers_.size() == 0); assert(workers_.size() == 0);
SSL_CTX *sv_ssl_ctx = nullptr, *cl_ssl_ctx = nullptr; auto cert_tree = ssl::create_cert_lookup_tree();
ssl::CertLookupTree *cert_tree = nullptr; auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree);
auto cl_ssl_ctx = ssl::setup_client_ssl_context();
if (!get_config()->tls_ctx_per_worker) {
cert_tree = ssl::create_cert_lookup_tree();
sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree);
cl_ssl_ctx = ssl::setup_client_ssl_context();
}
for (size_t i = 0; i < num; ++i) { for (size_t i = 0; i < num; ++i) {
auto loop = ev_loop_new(0); auto loop = ev_loop_new(0);
if (get_config()->tls_ctx_per_worker) {
cert_tree = ssl::create_cert_lookup_tree();
std::vector<SSL_CTX *> all_ssl_ctx;
sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx, cert_tree);
cl_ssl_ctx = ssl::setup_client_ssl_context();
}
auto worker = make_unique<Worker>(loop, sv_ssl_ctx, cl_ssl_ctx, cert_tree, auto worker = make_unique<Worker>(loop, sv_ssl_ctx, cl_ssl_ctx, cert_tree,
ticket_keys_); ticket_keys_);
worker->run_async(); worker->run_async();