MINOR: ssl: add global statement tune.ssl.force-private-cache.

Boolean: used to force a private ssl session cache for each process in case of nbproc > 1.
2025-09-28 17:21:32 +02:00 · 2014-05-09 13:52:00 +02:00 · 2014-05-09 13:52:00 +02:00 · 8dc6039807
commit 8dc6039807
parent 78bd4038d7
3 changed files with 14 additions and 1 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -495,6 +495,7 @@ The following keywords are supported in the "global" section :
   - tune.sndbuf.server
   - tune.ssl.cachesize
   - tune.ssl.lifetime
+   - tune.ssl.force-private-cache
   - tune.ssl.maxrecord
   - tune.zlib.memlevel
   - tune.zlib.windowsize
@ -984,6 +985,14 @@ tune.ssl.cachesize <number>
  and are shared between all processes if "nbproc" is greater than 1. Setting
  this value to 0 disables the SSL session cache.

+tune.ssl.force-private-cache
+  This boolean disables SSL session cache sharing between all processes. It
+  should normally not be used since it will force many renegotiations due to
+  clients hitting a random process. But it may be required on some operating
+  systems where none of the SSL cache synchronization method may be used. In
+  this case, adding a first layer of hash-based load balancing before the SSL
+  layer might limit the impact of the lack of session sharing.
+
 tune.ssl.lifetime <timeout>
  Sets how long a cached SSL session may remain valid. This time is expressed
  in seconds and defaults to 300 (5 min). It is important to understand that it
--- a/include/types/global.h
+++ b/include/types/global.h
@ -129,6 +129,7 @@ struct global {
 		int cookie_len;    /* max length of cookie captures */
 #ifdef USE_OPENSSL
 		int sslcachesize;  /* SSL cache size in session, defaults to 20000 */
+		int sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */
 		unsigned int ssllifetime;   /* SSL session lifetime in seconds */
 		unsigned int ssl_max_record; /* SSL max record size */
 #endif
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -594,6 +594,9 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 		global.tune.chksize = atol(args[1]);
 	}
 #ifdef USE_OPENSSL
+	else if (!strcmp(args[0], "tune.ssl.force-private-cache")) {
+		global.tune.sslprivatecache = 1;
+	}
 	else if (!strcmp(args[0], "tune.ssl.cachesize")) {
 		if (*(args[1]) == 0) {
 			Alert("parsing [%s:%d] : '%s' expects an integer argument.\n", file, linenum, args[0]);
@ -6760,7 +6763,7 @@ out_uri_auth_compat:
 				continue;
 			}

-			alloc_ctx = shared_context_init(global.tune.sslcachesize, (global.nbproc > 1) ? 1 : 0);
+			alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global.tune.sslprivatecache && (global.nbproc > 1)) ? 1 : 0);
 			if (alloc_ctx < 0) {
 				if (alloc_ctx == SHCTX_E_INIT_LOCK) {
 					Warning("Unable to init lock for the shared SSL session cache. Falling back to private cache.\n");