nghttpx: Add option to specify maximum number of session cache
This commit is contained in:
parent
26d49c1dc3
commit
e763770f3e
|
@ -113,7 +113,8 @@ OPTIONS = [
|
||||||
"header-field-buffer",
|
"header-field-buffer",
|
||||||
"max-header-fields",
|
"max-header-fields",
|
||||||
"no-http2-cipher-black-list",
|
"no-http2-cipher-black-list",
|
||||||
"backend-http1-tls"
|
"backend-http1-tls",
|
||||||
|
"backend-tls-session-cache-per-worker"
|
||||||
]
|
]
|
||||||
|
|
||||||
LOGVARS = [
|
LOGVARS = [
|
||||||
|
|
23
src/shrpx.cc
23
src/shrpx.cc
|
@ -1046,8 +1046,6 @@ void fill_default_config() {
|
||||||
auto &tlsconf = mod_config()->tls;
|
auto &tlsconf = mod_config()->tls;
|
||||||
{
|
{
|
||||||
auto &ticketconf = tlsconf.ticket;
|
auto &ticketconf = tlsconf.ticket;
|
||||||
ticketconf.cipher = EVP_aes_128_cbc();
|
|
||||||
|
|
||||||
{
|
{
|
||||||
auto &memcachedconf = ticketconf.memcached;
|
auto &memcachedconf = ticketconf.memcached;
|
||||||
memcachedconf.max_retry = 3;
|
memcachedconf.max_retry = 3;
|
||||||
|
@ -1055,18 +1053,25 @@ void fill_default_config() {
|
||||||
memcachedconf.interval = 10_min;
|
memcachedconf.interval = 10_min;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ticketconf.cipher = EVP_aes_128_cbc();
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
auto &ocspconf = tlsconf.ocsp;
|
auto &ocspconf = tlsconf.ocsp;
|
||||||
// ocsp update interval = 14400 secs = 4 hours, borrowed from h2o
|
// ocsp update interval = 14400 secs = 4 hours, borrowed from h2o
|
||||||
ocspconf.update_interval = 4_h;
|
ocspconf.update_interval = 4_h;
|
||||||
ocspconf.fetch_ocsp_response_file =
|
ocspconf.fetch_ocsp_response_file =
|
||||||
strcopy(PKGDATADIR "/fetch-ocsp-response");
|
strcopy(PKGDATADIR "/fetch-ocsp-response");
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
auto &dyn_recconf = tlsconf.dyn_rec;
|
auto &dyn_recconf = tlsconf.dyn_rec;
|
||||||
dyn_recconf.warmup_threshold = 1_m;
|
dyn_recconf.warmup_threshold = 1_m;
|
||||||
dyn_recconf.idle_timeout = 1_s;
|
dyn_recconf.idle_timeout = 1_s;
|
||||||
|
}
|
||||||
|
|
||||||
tlsconf.session_timeout = std::chrono::hours(12);
|
tlsconf.session_timeout = std::chrono::hours(12);
|
||||||
}
|
tlsconf.backend_session_cache_per_worker = 10000;
|
||||||
|
|
||||||
auto &httpconf = mod_config()->http;
|
auto &httpconf = mod_config()->http;
|
||||||
httpconf.server_name = "nghttpx nghttp2/" NGHTTP2_VERSION;
|
httpconf.server_name = "nghttpx nghttp2/" NGHTTP2_VERSION;
|
||||||
|
@ -1579,6 +1584,11 @@ SSL/TLS:
|
||||||
Allow black listed cipher suite on HTTP/2 connection.
|
Allow black listed cipher suite on HTTP/2 connection.
|
||||||
See https://tools.ietf.org/html/rfc7540#appendix-A for
|
See https://tools.ietf.org/html/rfc7540#appendix-A for
|
||||||
the complete HTTP/2 cipher suites black list.
|
the complete HTTP/2 cipher suites black list.
|
||||||
|
--backend-tls-session-cache-per-worker=<N>
|
||||||
|
Set the maximum number of backend TLS session cache
|
||||||
|
stored per worker.
|
||||||
|
Default: )" << get_config()->tls.backend_session_cache_per_worker
|
||||||
|
<< R"(
|
||||||
|
|
||||||
HTTP/2 and SPDY:
|
HTTP/2 and SPDY:
|
||||||
-c, --http2-max-concurrent-streams=<N>
|
-c, --http2-max-concurrent-streams=<N>
|
||||||
|
@ -2384,6 +2394,8 @@ int main(int argc, char **argv) {
|
||||||
{SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER, required_argument, &flag, 104},
|
{SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER, required_argument, &flag, 104},
|
||||||
{SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS, required_argument, &flag, 105},
|
{SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS, required_argument, &flag, 105},
|
||||||
{SHRPX_OPT_BACKEND_HTTP1_TLS, no_argument, &flag, 106},
|
{SHRPX_OPT_BACKEND_HTTP1_TLS, no_argument, &flag, 106},
|
||||||
|
{SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER, required_argument,
|
||||||
|
&flag, 107},
|
||||||
{nullptr, 0, nullptr, 0}};
|
{nullptr, 0, nullptr, 0}};
|
||||||
|
|
||||||
int option_index = 0;
|
int option_index = 0;
|
||||||
|
@ -2837,6 +2849,11 @@ int main(int argc, char **argv) {
|
||||||
// --backend-http1-tls
|
// --backend-http1-tls
|
||||||
cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_HTTP1_TLS, "yes");
|
cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_HTTP1_TLS, "yes");
|
||||||
break;
|
break;
|
||||||
|
case 107:
|
||||||
|
// --backend-tls-session-cache-per-worker
|
||||||
|
cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER,
|
||||||
|
optarg);
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -687,6 +687,7 @@ enum {
|
||||||
SHRPX_OPTID_BACKEND_READ_TIMEOUT,
|
SHRPX_OPTID_BACKEND_READ_TIMEOUT,
|
||||||
SHRPX_OPTID_BACKEND_REQUEST_BUFFER,
|
SHRPX_OPTID_BACKEND_REQUEST_BUFFER,
|
||||||
SHRPX_OPTID_BACKEND_RESPONSE_BUFFER,
|
SHRPX_OPTID_BACKEND_RESPONSE_BUFFER,
|
||||||
|
SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER,
|
||||||
SHRPX_OPTID_BACKEND_TLS_SNI_FIELD,
|
SHRPX_OPTID_BACKEND_TLS_SNI_FIELD,
|
||||||
SHRPX_OPTID_BACKEND_WRITE_TIMEOUT,
|
SHRPX_OPTID_BACKEND_WRITE_TIMEOUT,
|
||||||
SHRPX_OPTID_BACKLOG,
|
SHRPX_OPTID_BACKLOG,
|
||||||
|
@ -1382,6 +1383,9 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
if (util::strieq_l("backend-http2-connections-per-worke", name, 35)) {
|
if (util::strieq_l("backend-http2-connections-per-worke", name, 35)) {
|
||||||
return SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER;
|
return SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER;
|
||||||
}
|
}
|
||||||
|
if (util::strieq_l("backend-tls-session-cache-per-worke", name, 35)) {
|
||||||
|
return SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case 's':
|
case 's':
|
||||||
if (util::strieq_l("backend-http2-connection-window-bit", name, 35)) {
|
if (util::strieq_l("backend-http2-connection-window-bit", name, 35)) {
|
||||||
|
@ -2222,6 +2226,9 @@ int parse_config(const char *opt, const char *optarg,
|
||||||
mod_config()->conn.downstream.http1_tls = util::strieq(optarg, "yes");
|
mod_config()->conn.downstream.http1_tls = util::strieq(optarg, "yes");
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
case SHRPX_OPTID_BACKEND_TLS_SESSION_CACHE_PER_WORKER:
|
||||||
|
return parse_uint(&mod_config()->tls.backend_session_cache_per_worker, opt,
|
||||||
|
optarg);
|
||||||
case SHRPX_OPTID_CONF:
|
case SHRPX_OPTID_CONF:
|
||||||
LOG(WARN) << "conf: ignored";
|
LOG(WARN) << "conf: ignored";
|
||||||
|
|
||||||
|
|
|
@ -207,6 +207,8 @@ constexpr char SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS[] =
|
||||||
constexpr char SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST[] =
|
constexpr char SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST[] =
|
||||||
"no-http2-cipher-black-list";
|
"no-http2-cipher-black-list";
|
||||||
constexpr char SHRPX_OPT_BACKEND_HTTP1_TLS[] = "backend-http1-tls";
|
constexpr char SHRPX_OPT_BACKEND_HTTP1_TLS[] = "backend-http1-tls";
|
||||||
|
constexpr char SHRPX_OPT_BACKEND_TLS_SESSION_CACHE_PER_WORKER[] =
|
||||||
|
"backend-tls-session-cache-per-worker";
|
||||||
|
|
||||||
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
||||||
|
|
||||||
|
@ -391,6 +393,7 @@ struct TLSConfig {
|
||||||
std::vector<std::string> npn_list;
|
std::vector<std::string> npn_list;
|
||||||
// list of supported SSL/TLS protocol strings.
|
// list of supported SSL/TLS protocol strings.
|
||||||
std::vector<std::string> tls_proto_list;
|
std::vector<std::string> tls_proto_list;
|
||||||
|
size_t backend_session_cache_per_worker;
|
||||||
// Bit mask to disable SSL/TLS protocol versions. This will be
|
// Bit mask to disable SSL/TLS protocol versions. This will be
|
||||||
// passed to SSL_CTX_set_options().
|
// passed to SSL_CTX_set_options().
|
||||||
long int tls_proto_mask;
|
long int tls_proto_mask;
|
||||||
|
|
|
@ -308,7 +308,14 @@ mruby::MRubyContext *Worker::get_mruby_context() const {
|
||||||
|
|
||||||
void Worker::cache_cl_tls_session(const DownstreamAddr *addr,
|
void Worker::cache_cl_tls_session(const DownstreamAddr *addr,
|
||||||
SSL_SESSION *session) {
|
SSL_SESSION *session) {
|
||||||
if (cl_tls_session_order_.size() >= 10000) {
|
auto &tlsconf = get_config()->tls;
|
||||||
|
|
||||||
|
auto max = tlsconf.backend_session_cache_per_worker;
|
||||||
|
if (max == 0) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (cl_tls_session_order_.size() >= max) {
|
||||||
auto addrkey = cl_tls_session_order_.front();
|
auto addrkey = cl_tls_session_order_.front();
|
||||||
cl_tls_session_order_.pop_front();
|
cl_tls_session_order_.pop_front();
|
||||||
auto it = cl_tls_session_cache_.find(addrkey);
|
auto it = cl_tls_session_cache_.find(addrkey);
|
||||||
|
|
Loading…
Reference in New Issue