nghttpx: Remove --tls-ctx-per-worker option

--tls-ctx-per-worker option does not work well of OCSP stapling. Also it makes session ID useless.
2015-03-31 00:42:21 +09:00 · 2015-03-31 00:42:21 +09:00 · 1442b1bd0a
parent 763293a050
commit 1442b1bd0a
4 changed files with 4 additions and 41 deletions
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@ -919,7 +919,6 @@ void fill_default_config() {
  mod_config()->downstream_connections_per_host = 8;
  mod_config()->downstream_connections_per_frontend = 0;
  mod_config()->listener_disable_timeout = 0.;
-  mod_config()->tls_ctx_per_worker = false;
  mod_config()->downstream_request_buffer_size = 16 * 1024;
  mod_config()->downstream_response_buffer_size = 16 * 1024;
  mod_config()->no_server_push = false;
@ -1197,14 +1196,6 @@ SSL/TLS:
              while  opening  or  reading  a file,  key  is  generated
              automatically and  renewed every 12hrs.  At  most 2 keys
              are stored in memory.
-  --tls-ctx-per-worker
-              Create OpenSSL's SSL_CTX per worker, so that no internal
-              locking is required.  This  may improve scalability with
-              multi  threaded   configuration.   If  this   option  is
-              enabled, session ID is  no longer shared accross SSL_CTX
-              objects, which means session  ID generated by one worker
-              is not acceptable by another worker.  On the other hand,
-              session ticket key is shared across all worker threads.
  --fetch-ocsp-response-file=<PATH>
              Path to  fetch-ocsp-response script file.  It  should be
              absolute path.
@ -1838,10 +1829,6 @@ int main(int argc, char **argv) {
        // --rlimit-nofile
        cmdcfgs.emplace_back(SHRPX_OPT_RLIMIT_NOFILE, optarg);
        break;
-      case 70:
-        // --tls-ctx-per-worker
-        cmdcfgs.emplace_back(SHRPX_OPT_TLS_CTX_PER_WORKER, "yes");
-        break;
      case 71:
        // --backend-response-buffer
        cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_RESPONSE_BUFFER, optarg);
@ -1916,10 +1903,7 @@ int main(int argc, char **argv) {
  }

 #ifndef NOTHREADS
-  std::unique_ptr<nghttp2::ssl::LibsslGlobalLock> lock;
-  if (!get_config()->tls_ctx_per_worker) {
-    lock = make_unique<nghttp2::ssl::LibsslGlobalLock>();
-  }
+  auto lock = make_unique<nghttp2::ssl::LibsslGlobalLock>();
 #endif // NOTHREADS

  if (get_config()->accesslog_syslog || get_config()->errorlog_syslog) {
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@ -142,7 +142,6 @@ const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[] =
 const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[] = "listener-disable-timeout";
 const char SHRPX_OPT_TLS_TICKET_KEY_FILE[] = "tls-ticket-key-file";
 const char SHRPX_OPT_RLIMIT_NOFILE[] = "rlimit-nofile";
-const char SHRPX_OPT_TLS_CTX_PER_WORKER[] = "tls-ctx-per-worker";
 const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[] = "backend-request-buffer";
 const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[] = "backend-response-buffer";
 const char SHRPX_OPT_NO_SERVER_PUSH[] = "no-server-push";
@ -1186,12 +1185,6 @@ int parse_config(const char *opt, const char *optarg) {
    return 0;
  }

-  if (util::strieq(opt, SHRPX_OPT_TLS_CTX_PER_WORKER)) {
-    mod_config()->tls_ctx_per_worker = util::strieq(optarg, "yes");
-
-    return 0;
-  }
-
  if (util::strieq(opt, SHRPX_OPT_NO_SERVER_PUSH)) {
    mod_config()->no_server_push = util::strieq(optarg, "yes");

--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@ -132,7 +132,6 @@ extern const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[];
 extern const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[];
 extern const char SHRPX_OPT_TLS_TICKET_KEY_FILE[];
 extern const char SHRPX_OPT_RLIMIT_NOFILE[];
-extern const char SHRPX_OPT_TLS_CTX_PER_WORKER[];
 extern const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[];
 extern const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[];
 extern const char SHRPX_OPT_NO_SERVER_PUSH[];
@ -325,7 +324,6 @@ struct Config {
  bool upstream_frame_debug;
  bool no_location_rewrite;
  bool no_host_rewrite;
-  bool tls_ctx_per_worker;
  bool no_server_push;
  // true if host contains UNIX domain socket path
  bool host_unix;
--- a/src/shrpx_connection_handler.cc
+++ b/src/shrpx_connection_handler.cc
@ -123,25 +123,13 @@ void ConnectionHandler::create_worker_thread(size_t num) {
 #ifndef NOTHREADS
  assert(workers_.size() == 0);

-  SSL_CTX *sv_ssl_ctx = nullptr, *cl_ssl_ctx = nullptr;
-  ssl::CertLookupTree *cert_tree = nullptr;
-
-  if (!get_config()->tls_ctx_per_worker) {
-    cert_tree = ssl::create_cert_lookup_tree();
-    sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree);
-    cl_ssl_ctx = ssl::setup_client_ssl_context();
-  }
+  auto cert_tree = ssl::create_cert_lookup_tree();
+  auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree);
+  auto cl_ssl_ctx = ssl::setup_client_ssl_context();

  for (size_t i = 0; i < num; ++i) {
    auto loop = ev_loop_new(0);

-    if (get_config()->tls_ctx_per_worker) {
-      cert_tree = ssl::create_cert_lookup_tree();
-      std::vector<SSL_CTX *> all_ssl_ctx;
-      sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx, cert_tree);
-      cl_ssl_ctx = ssl::setup_client_ssl_context();
-    }
-
    auto worker = make_unique<Worker>(loop, sv_ssl_ctx, cl_ssl_ctx, cert_tree,
                                      ticket_keys_);
    worker->run_async();