diff --git a/doc/configuration.txt b/doc/configuration.txt index 8cab0a274..f6bda15d0 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -495,6 +495,7 @@ The following keywords are supported in the "global" section : - tune.sndbuf.server - tune.ssl.cachesize - tune.ssl.lifetime + - tune.ssl.force-private-cache - tune.ssl.maxrecord - tune.zlib.memlevel - tune.zlib.windowsize @@ -984,6 +985,14 @@ tune.ssl.cachesize and are shared between all processes if "nbproc" is greater than 1. Setting this value to 0 disables the SSL session cache. +tune.ssl.force-private-cache + This boolean disables SSL session cache sharing between all processes. It + should normally not be used since it will force many renegotiations due to + clients hitting a random process. But it may be required on some operating + systems where none of the SSL cache synchronization method may be used. In + this case, adding a first layer of hash-based load balancing before the SSL + layer might limit the impact of the lack of session sharing. + tune.ssl.lifetime Sets how long a cached SSL session may remain valid. This time is expressed in seconds and defaults to 300 (5 min). It is important to understand that it diff --git a/include/types/global.h b/include/types/global.h index 241afe9bd..cf612713f 100644 --- a/include/types/global.h +++ b/include/types/global.h @@ -129,6 +129,7 @@ struct global { int cookie_len; /* max length of cookie captures */ #ifdef USE_OPENSSL int sslcachesize; /* SSL cache size in session, defaults to 20000 */ + int sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int ssllifetime; /* SSL session lifetime in seconds */ unsigned int ssl_max_record; /* SSL max record size */ #endif diff --git a/src/cfgparse.c b/src/cfgparse.c index 7176b5943..60674092f 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -594,6 +594,9 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm) global.tune.chksize = atol(args[1]); } #ifdef USE_OPENSSL + else if (!strcmp(args[0], "tune.ssl.force-private-cache")) { + global.tune.sslprivatecache = 1; + } else if (!strcmp(args[0], "tune.ssl.cachesize")) { if (*(args[1]) == 0) { Alert("parsing [%s:%d] : '%s' expects an integer argument.\n", file, linenum, args[0]); @@ -6760,7 +6763,7 @@ out_uri_auth_compat: continue; } - alloc_ctx = shared_context_init(global.tune.sslcachesize, (global.nbproc > 1) ? 1 : 0); + alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global.tune.sslprivatecache && (global.nbproc > 1)) ? 1 : 0); if (alloc_ctx < 0) { if (alloc_ctx == SHCTX_E_INIT_LOCK) { Warning("Unable to init lock for the shared SSL session cache. Falling back to private cache.\n");