nghttpx: Add option to specify maximum number of session cache

This commit is contained in:
Tatsuhiro Tsujikawa 2016-02-07 00:16:14 +09:00
parent 26d49c1dc3
commit e763770f3e
5 changed files with 41 additions and 6 deletions

View File

@ -113,7 +113,8 @@ OPTIONS = [
"header-field-buffer", "header-field-buffer",
"max-header-fields", "max-header-fields",
"no-http2-cipher-black-list", "no-http2-cipher-black-list",
"backend-http1-tls" "backend-http1-tls",
"backend-tls-session-cache-per-worker"
] ]
LOGVARS = [ LOGVARS = [

View File

@ -1046,8 +1046,6 @@ void fill_default_config() {
auto &tlsconf = mod_config()->tls; auto &tlsconf = mod_config()->tls;
{ {
auto &ticketconf = tlsconf.ticket; auto &ticketconf = tlsconf.ticket;
ticketconf.cipher = EVP_aes_128_cbc();
{ {
auto &memcachedconf = ticketconf.memcached; auto &memcachedconf = ticketconf.memcached;
memcachedconf.max_retry = 3; memcachedconf.max_retry = 3;
@ -1055,18 +1053,25 @@ void fill_default_config() {
memcachedconf.interval = 10_min; memcachedconf.interval = 10_min;
} }
ticketconf.cipher = EVP_aes_128_cbc();
}
{
auto &ocspconf = tlsconf.ocsp; auto &ocspconf = tlsconf.ocsp;
// ocsp update interval = 14400 secs = 4 hours, borrowed from h2o // ocsp update interval = 14400 secs = 4 hours, borrowed from h2o
ocspconf.update_interval = 4_h; ocspconf.update_interval = 4_h;
ocspconf.fetch_ocsp_response_file = ocspconf.fetch_ocsp_response_file =
strcopy(PKGDATADIR "/fetch-ocsp-response"); strcopy(PKGDATADIR "/fetch-ocsp-response");
}
{
auto &dyn_recconf = tlsconf.dyn_rec; auto &dyn_recconf = tlsconf.dyn_rec;
dyn_recconf.warmup_threshold = 1_m; dyn_recconf.warmup_threshold = 1_m;
dyn_recconf.idle_timeout = 1_s; dyn_recconf.idle_timeout = 1_s;
}
tlsconf.session_timeout = std::chrono::hours(12); tlsconf.session_timeout = std::chrono::hours(12);
} tlsconf.backend_session_cache_per_worker = 10000;
auto &httpconf = mod_config()->http; auto &httpconf = mod_config()->http;
httpconf.server_name = "nghttpx nghttp2/" NGHTTP2_VERSION; httpconf.server_name = "nghttpx nghttp2/" NGHTTP2_VERSION;
@ -1579,6 +1584,11 @@ SSL/TLS:
Allow black listed cipher suite on HTTP/2 connection. Allow black listed cipher suite on HTTP/2 connection.
See https://tools.ietf.org/html/rfc7540#appendix-A for See https://tools.ietf.org/html/rfc7540#appendix-A for
the complete HTTP/2 cipher suites black list. the complete HTTP/2 cipher suites black list.
--backend-tls-session-cache-per-worker=<N>
Set the maximum number of backend TLS session cache
stored per worker.
Default: )" << get_config()->tls.backend_session_cache_per_worker
<< R"(
HTTP/2 and SPDY: HTTP/2 and SPDY:
-c, --http2-max-concurrent-streams=<N> -c, --http2-max-concurrent-streams=<N>
@ -2384,6 +2394,8 @@ int main(int argc, char **argv) {
{SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER, required_argument, &flag, 104}, {SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER, required_argument, &flag, 104},
{SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS, required_argument, &flag, 105}, {SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS, required_argument, &flag, 105},
{SHRPX_OPT_BACKEND_HTTP1_TLS, no_argument, &flag, 106}, {SHRPX_OPT_BACKEND_HTTP1_TLS, no_argument, &flag, 106},
{SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER, required_argument,
&flag, 107},
{nullptr, 0, nullptr, 0}}; {nullptr, 0, nullptr, 0}};
int option_index = 0; int option_index = 0;
@ -2837,6 +2849,11 @@ int main(int argc, char **argv) {
// --backend-http1-tls // --backend-http1-tls
cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_HTTP1_TLS, "yes"); cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_HTTP1_TLS, "yes");
break; break;
case 107:
// --backend-tls-session-cache-per-worker
cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER,
optarg);
break;
default: default:
break; break;
} }

View File

@ -687,6 +687,7 @@ enum {
SHRPX_OPTID_BACKEND_READ_TIMEOUT, SHRPX_OPTID_BACKEND_READ_TIMEOUT,
SHRPX_OPTID_BACKEND_REQUEST_BUFFER, SHRPX_OPTID_BACKEND_REQUEST_BUFFER,
SHRPX_OPTID_BACKEND_RESPONSE_BUFFER, SHRPX_OPTID_BACKEND_RESPONSE_BUFFER,
SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER,
SHRPX_OPTID_BACKEND_TLS_SNI_FIELD, SHRPX_OPTID_BACKEND_TLS_SNI_FIELD,
SHRPX_OPTID_BACKEND_WRITE_TIMEOUT, SHRPX_OPTID_BACKEND_WRITE_TIMEOUT,
SHRPX_OPTID_BACKLOG, SHRPX_OPTID_BACKLOG,
@ -1382,6 +1383,9 @@ int option_lookup_token(const char *name, size_t namelen) {
if (util::strieq_l("backend-http2-connections-per-worke", name, 35)) { if (util::strieq_l("backend-http2-connections-per-worke", name, 35)) {
return SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER; return SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER;
} }
if (util::strieq_l("backend-tls-session-cache-per-worke", name, 35)) {
return SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER;
}
break; break;
case 's': case 's':
if (util::strieq_l("backend-http2-connection-window-bit", name, 35)) { if (util::strieq_l("backend-http2-connection-window-bit", name, 35)) {
@ -2222,6 +2226,9 @@ int parse_config(const char *opt, const char *optarg,
mod_config()->conn.downstream.http1_tls = util::strieq(optarg, "yes"); mod_config()->conn.downstream.http1_tls = util::strieq(optarg, "yes");
return 0; return 0;
case SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER:
return parse_uint(&mod_config()->tls.backend_session_cache_per_worker, opt,
optarg);
case SHRPX_OPTID_CONF: case SHRPX_OPTID_CONF:
LOG(WARN) << "conf: ignored"; LOG(WARN) << "conf: ignored";

View File

@ -207,6 +207,8 @@ constexpr char SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS[] =
constexpr char SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST[] = constexpr char SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST[] =
"no-http2-cipher-black-list"; "no-http2-cipher-black-list";
constexpr char SHRPX_OPT_BACKEND_HTTP1_TLS[] = "backend-http1-tls"; constexpr char SHRPX_OPT_BACKEND_HTTP1_TLS[] = "backend-http1-tls";
constexpr char SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER[] =
"backend-tls-session-cache-per-worker";
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
@ -391,6 +393,7 @@ struct TLSConfig {
std::vector<std::string> npn_list; std::vector<std::string> npn_list;
// list of supported SSL/TLS protocol strings. // list of supported SSL/TLS protocol strings.
std::vector<std::string> tls_proto_list; std::vector<std::string> tls_proto_list;
size_t backend_session_cache_per_worker;
// Bit mask to disable SSL/TLS protocol versions. This will be // Bit mask to disable SSL/TLS protocol versions. This will be
// passed to SSL_CTX_set_options(). // passed to SSL_CTX_set_options().
long int tls_proto_mask; long int tls_proto_mask;

View File

@ -308,7 +308,14 @@ mruby::MRubyContext *Worker::get_mruby_context() const {
void Worker::cache_cl_tls_session(const DownstreamAddr *addr, void Worker::cache_cl_tls_session(const DownstreamAddr *addr,
SSL_SESSION *session) { SSL_SESSION *session) {
if (cl_tls_session_order_.size() >= 10000) { auto &tlsconf = get_config()->tls;
auto max = tlsconf.backend_session_cache_per_worker;
if (max == 0) {
return;
}
if (cl_tls_session_order_.size() >= max) {
auto addrkey = cl_tls_session_order_.front(); auto addrkey = cl_tls_session_order_.front();
cl_tls_session_order_.pop_front(); cl_tls_session_order_.pop_front();
auto it = cl_tls_session_cache_.find(addrkey); auto it = cl_tls_session_cache_.find(addrkey);