nghttpx: Add option to specify maximum number of session cache

gennghttpxfun.py

@@ -113,7 +113,8 @@ OPTIONS = [
     "header-field-buffer",
     "max-header-fields",
     "no-http2-cipher-black-list",
-    "backend-http1-tls"
+    "backend-http1-tls",
+    "backend-tls-session-cache-per-worker"
 ]
 
 LOGVARS = [

src/shrpx.cc

@@ -1046,8 +1046,6 @@ void fill_default_config() {
   auto &tlsconf = mod_config()->tls;
   {
     auto &ticketconf = tlsconf.ticket;
-    ticketconf.cipher = EVP_aes_128_cbc();
-
     {
       auto &memcachedconf = ticketconf.memcached;
       memcachedconf.max_retry = 3;
@@ -1055,19 +1053,26 @@ void fill_default_config() {
       memcachedconf.interval = 10_min;
     }
 
+    ticketconf.cipher = EVP_aes_128_cbc();
+  }
+
+  {
     auto &ocspconf = tlsconf.ocsp;
     // ocsp update interval = 14400 secs = 4 hours, borrowed from h2o
     ocspconf.update_interval = 4_h;
     ocspconf.fetch_ocsp_response_file =
         strcopy(PKGDATADIR "/fetch-ocsp-response");
+  }
 
+  {
     auto &dyn_recconf = tlsconf.dyn_rec;
     dyn_recconf.warmup_threshold = 1_m;
     dyn_recconf.idle_timeout = 1_s;
-
-    tlsconf.session_timeout = std::chrono::hours(12);
   }
 
+  tlsconf.session_timeout = std::chrono::hours(12);
+  tlsconf.backend_session_cache_per_worker = 10000;
+
   auto &httpconf = mod_config()->http;
   httpconf.server_name = "nghttpx nghttp2/" NGHTTP2_VERSION;
   httpconf.no_host_rewrite = true;
@@ -1579,6 +1584,11 @@ SSL/TLS:
               Allow black  listed cipher  suite on  HTTP/2 connection.
               See  https://tools.ietf.org/html/rfc7540#appendix-A  for
               the complete HTTP/2 cipher suites black list.
+  --backend-tls-session-cache-per-worker=<N>
+              Set  the maximum  number  of backend  TLS session  cache
+              stored per worker.
+              Default: )" << get_config()->tls.backend_session_cache_per_worker
+      << R"(
 
 HTTP/2 and SPDY:
   -c, --http2-max-concurrent-streams=<N>
@@ -2384,6 +2394,8 @@ int main(int argc, char **argv) {
         {SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER, required_argument, &flag, 104},
         {SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS, required_argument, &flag, 105},
         {SHRPX_OPT_BACKEND_HTTP1_TLS, no_argument, &flag, 106},
+        {SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER, required_argument,
+         &flag, 107},
         {nullptr, 0, nullptr, 0}};
 
     int option_index = 0;
@@ -2837,6 +2849,11 @@ int main(int argc, char **argv) {
         // --backend-http1-tls
         cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_HTTP1_TLS, "yes");
         break;
+      case 107:
+        // --backend-tls-session-cache-per-worker
+        cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER,
+                             optarg);
+        break;
       default:
         break;
       }

src/shrpx_config.cc

@@ -687,6 +687,7 @@ enum {
   SHRPX_OPTID_BACKEND_READ_TIMEOUT,
   SHRPX_OPTID_BACKEND_REQUEST_BUFFER,
   SHRPX_OPTID_BACKEND_RESPONSE_BUFFER,
+  SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER,
   SHRPX_OPTID_BACKEND_TLS_SNI_FIELD,
   SHRPX_OPTID_BACKEND_WRITE_TIMEOUT,
   SHRPX_OPTID_BACKLOG,
@@ -1382,6 +1383,9 @@ int option_lookup_token(const char *name, size_t namelen) {
       if (util::strieq_l("backend-http2-connections-per-worke", name, 35)) {
         return SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER;
       }
+      if (util::strieq_l("backend-tls-session-cache-per-worke", name, 35)) {
+        return SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER;
+      }
       break;
     case 's':
       if (util::strieq_l("backend-http2-connection-window-bit", name, 35)) {
@@ -2222,6 +2226,9 @@ int parse_config(const char *opt, const char *optarg,
     mod_config()->conn.downstream.http1_tls = util::strieq(optarg, "yes");
 
     return 0;
+  case SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER:
+    return parse_uint(&mod_config()->tls.backend_session_cache_per_worker, opt,
+                      optarg);
   case SHRPX_OPTID_CONF:
     LOG(WARN) << "conf: ignored";
 

src/shrpx_config.h

@@ -207,6 +207,8 @@ constexpr char SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS[] =
 constexpr char SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST[] =
     "no-http2-cipher-black-list";
 constexpr char SHRPX_OPT_BACKEND_HTTP1_TLS[] = "backend-http1-tls";
+constexpr char SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER[] =
+    "backend-tls-session-cache-per-worker";
 
 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
 
@@ -391,6 +393,7 @@ struct TLSConfig {
   std::vector<std::string> npn_list;
   // list of supported SSL/TLS protocol strings.
   std::vector<std::string> tls_proto_list;
+  size_t backend_session_cache_per_worker;
   // Bit mask to disable SSL/TLS protocol versions.  This will be
   // passed to SSL_CTX_set_options().
   long int tls_proto_mask;

src/shrpx_worker.cc

@@ -308,7 +308,14 @@ mruby::MRubyContext *Worker::get_mruby_context() const {
 
 void Worker::cache_cl_tls_session(const DownstreamAddr *addr,
                                   SSL_SESSION *session) {
-  if (cl_tls_session_order_.size() >= 10000) {
+  auto &tlsconf = get_config()->tls;
+
+  auto max = tlsconf.backend_session_cache_per_worker;
+  if (max == 0) {
+    return;
+  }
+
+  if (cl_tls_session_order_.size() >= max) {
     auto addrkey = cl_tls_session_order_.front();
     cl_tls_session_order_.pop_front();
     auto it = cl_tls_session_cache_.find(addrkey);