MINOR: stats: report SSL key computations per second
It's commonly needed to know how many SSL asymmetric keys are computed
per second on either side (frontend or backend), and to know the SSL
session reuse ratio. Now we compute these values and report them in
"show info".
diff --git a/include/types/global.h b/include/types/global.h
index c945f53..fa93cbf 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -90,11 +90,14 @@
struct freq_ctr conn_per_sec;
struct freq_ctr sess_per_sec;
struct freq_ctr ssl_per_sec;
+ struct freq_ctr ssl_fe_keys_per_sec;
+ struct freq_ctr ssl_be_keys_per_sec;
struct freq_ctr comp_bps_in; /* bytes per second, before http compression */
struct freq_ctr comp_bps_out; /* bytes per second, after http compression */
int cps_lim, cps_max;
int sps_lim, sps_max;
int ssl_lim, ssl_max;
+ int ssl_fe_keys_max, ssl_be_keys_max;
int comp_rate_lim; /* HTTP compression rate limit */
int maxpipes; /* max # of pipes */
int maxsock; /* max # of sockets */
diff --git a/src/dumpstats.c b/src/dumpstats.c
index 1b5b3a1..038af88 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -2420,6 +2420,17 @@
{
unsigned int up = (now.tv_sec - start_date.tv_sec);
+#ifdef USE_OPENSSL
+ int ssl_sess_rate = read_freq_ctr(&global.ssl_per_sec);
+ int ssl_key_rate = read_freq_ctr(&global.ssl_fe_keys_per_sec);
+ int ssl_reuse = 0;
+
+ if (ssl_key_rate < ssl_sess_rate) {
+ /* count the ssl reuse ratio and avoid overflows in both directions */
+ ssl_reuse = 100 - (100 * ssl_key_rate + (ssl_sess_rate - 1) / 2) / ssl_sess_rate;
+ }
+#endif
+
chunk_printf(&trash,
"Name: " PRODUCT_NAME "\n"
"Version: " HAPROXY_VERSION "\n"
@@ -2455,6 +2466,11 @@
"SslRate: %d\n"
"SslRateLimit: %d\n"
"MaxSslRate: %d\n"
+ "SslFrontendKeyRate: %d\n"
+ "SslFrontendMaxKeyRate: %d\n"
+ "SslFrontendSessionReuse_pct: %d\n"
+ "SslBackendKeyRate: %d\n"
+ "SslBackendMaxKeyRate: %d\n"
#endif
"CompressBpsIn: %u\n"
"CompressBpsOut: %u\n"
@@ -2485,7 +2501,10 @@
read_freq_ctr(&global.conn_per_sec), global.cps_lim, global.cps_max,
read_freq_ctr(&global.sess_per_sec), global.sps_lim, global.sps_max,
#ifdef USE_OPENSSL
- read_freq_ctr(&global.ssl_per_sec), global.ssl_lim, global.ssl_max,
+ ssl_sess_rate, global.ssl_lim, global.ssl_max,
+ ssl_key_rate, global.ssl_fe_keys_max,
+ ssl_reuse,
+ read_freq_ctr(&global.ssl_be_keys_per_sec), global.ssl_be_keys_max,
#endif
read_freq_ctr(&global.comp_bps_in), read_freq_ctr(&global.comp_bps_out),
global.comp_rate_lim,
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 880e727..b207580 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1447,14 +1447,23 @@
reneg_ok:
/* Handshake succeeded */
- if (objt_server(conn->target)) {
- if (!SSL_session_reused(conn->xprt_ctx)) {
+ if (!SSL_session_reused(conn->xprt_ctx)) {
+ if (objt_server(conn->target)) {
+ update_freq_ctr(&global.ssl_be_keys_per_sec, 1);
+ if (global.ssl_be_keys_per_sec.curr_ctr > global.ssl_be_keys_max)
+ global.ssl_be_keys_max = global.ssl_be_keys_per_sec.curr_ctr;
+
/* check if session was reused, if not store current session on server for reuse */
if (objt_server(conn->target)->ssl_ctx.reused_sess)
SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
}
+ else {
+ update_freq_ctr(&global.ssl_fe_keys_per_sec, 1);
+ if (global.ssl_fe_keys_per_sec.curr_ctr > global.ssl_fe_keys_max)
+ global.ssl_fe_keys_max = global.ssl_fe_keys_per_sec.curr_ctr;
+ }
}
/* The connection is now established at both layers, it's time to leave */