mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-28 17:21:32 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: add global statement tune.ssl.force-private-cache.

Browse Source 
Boolean: used to force a private ssl session cache for each process in
case of nbproc > 1.
This commit is contained in:
Emeric Brun 2014-05-09 13:52:00 +02:00 committed by Willy Tarreau
parent 78bd4038d7
commit 8dc6039807
3 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/configuration.txt
View File

@ -495,6 +495,7 @@ The following keywords are supported in the "global" section :
- tune.sndbuf.server - tune.sndbuf.server
- tune.ssl.cachesize - tune.ssl.cachesize
- tune.ssl.lifetime - tune.ssl.lifetime
- tune.ssl.force-private-cache
- tune.ssl.maxrecord - tune.ssl.maxrecord
- tune.zlib.memlevel - tune.zlib.memlevel
- tune.zlib.windowsize - tune.zlib.windowsize
@ -984,6 +985,14 @@ tune.ssl.cachesize <number>
and are shared between all processes if "nbproc" is greater than 1. Setting and are shared between all processes if "nbproc" is greater than 1. Setting
this value to 0 disables the SSL session cache. this value to 0 disables the SSL session cache.
tune.ssl.force-private-cache
This boolean disables SSL session cache sharing between all processes. It
should normally not be used since it will force many renegotiations due to
clients hitting a random process. But it may be required on some operating
systems where none of the SSL cache synchronization method may be used. In
this case, adding a first layer of hash-based load balancing before the SSL
layer might limit the impact of the lack of session sharing.
tune.ssl.lifetime <timeout> tune.ssl.lifetime <timeout>
Sets how long a cached SSL session may remain valid. This time is expressed Sets how long a cached SSL session may remain valid. This time is expressed
in seconds and defaults to 300 (5 min). It is important to understand that it in seconds and defaults to 300 (5 min). It is important to understand that it

1
include/types/global.h
View File

@ -129,6 +129,7 @@ struct global {
int cookie_len; /* max length of cookie captures */ int cookie_len; /* max length of cookie captures */
#ifdef USE_OPENSSL #ifdef USE_OPENSSL
int sslcachesize; /* SSL cache size in session, defaults to 20000 */ int sslcachesize; /* SSL cache size in session, defaults to 20000 */
int sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */
unsigned int ssllifetime; /* SSL session lifetime in seconds */ unsigned int ssllifetime; /* SSL session lifetime in seconds */
unsigned int ssl_max_record; /* SSL max record size */ unsigned int ssl_max_record; /* SSL max record size */
#endif #endif

5
src/cfgparse.c
View File

@ -594,6 +594,9 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
global.tune.chksize = atol(args[1]); global.tune.chksize = atol(args[1]);
} }
#ifdef USE_OPENSSL #ifdef USE_OPENSSL
else if (!strcmp(args[0], "tune.ssl.force-private-cache")) {
global.tune.sslprivatecache = 1;
}
else if (!strcmp(args[0], "tune.ssl.cachesize")) { else if (!strcmp(args[0], "tune.ssl.cachesize")) {
if (*(args[1]) == 0) { if (*(args[1]) == 0) {
Alert("parsing [%s:%d] : '%s' expects an integer argument.\n", file, linenum, args[0]); Alert("parsing [%s:%d] : '%s' expects an integer argument.\n", file, linenum, args[0]);
@ -6760,7 +6763,7 @@ out_uri_auth_compat:
continue; continue;
} }
alloc_ctx = shared_context_init(global.tune.sslcachesize, (global.nbproc > 1) ? 1 : 0); alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global.tune.sslprivatecache && (global.nbproc > 1)) ? 1 : 0);
if (alloc_ctx < 0) { if (alloc_ctx < 0) {
if (alloc_ctx == SHCTX_E_INIT_LOCK) { if (alloc_ctx == SHCTX_E_INIT_LOCK) {
Warning("Unable to init lock for the shared SSL session cache. Falling back to private cache.\n"); Warning("Unable to init lock for the shared SSL session cache. Falling back to private cache.\n");