MINOR: ssl: add global statement tune.ssl.force-private-cache.
Boolean: used to force a private ssl session cache for each process in
case of nbproc > 1.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 8cab0a2..f6bda15 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -495,6 +495,7 @@
- tune.sndbuf.server
- tune.ssl.cachesize
- tune.ssl.lifetime
+ - tune.ssl.force-private-cache
- tune.ssl.maxrecord
- tune.zlib.memlevel
- tune.zlib.windowsize
@@ -984,6 +985,14 @@
and are shared between all processes if "nbproc" is greater than 1. Setting
this value to 0 disables the SSL session cache.
+tune.ssl.force-private-cache
+ This boolean disables SSL session cache sharing between all processes. It
+ should normally not be used since it will force many renegotiations due to
+ clients hitting a random process. But it may be required on some operating
+ systems where none of the SSL cache synchronization method may be used. In
+ this case, adding a first layer of hash-based load balancing before the SSL
+ layer might limit the impact of the lack of session sharing.
+
tune.ssl.lifetime <timeout>
Sets how long a cached SSL session may remain valid. This time is expressed
in seconds and defaults to 300 (5 min). It is important to understand that it
diff --git a/include/types/global.h b/include/types/global.h
index 241afe9..cf61271 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -129,6 +129,7 @@
int cookie_len; /* max length of cookie captures */
#ifdef USE_OPENSSL
int sslcachesize; /* SSL cache size in session, defaults to 20000 */
+ int sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */
unsigned int ssllifetime; /* SSL session lifetime in seconds */
unsigned int ssl_max_record; /* SSL max record size */
#endif
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 7176b59..6067409 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -594,6 +594,9 @@
global.tune.chksize = atol(args[1]);
}
#ifdef USE_OPENSSL
+ else if (!strcmp(args[0], "tune.ssl.force-private-cache")) {
+ global.tune.sslprivatecache = 1;
+ }
else if (!strcmp(args[0], "tune.ssl.cachesize")) {
if (*(args[1]) == 0) {
Alert("parsing [%s:%d] : '%s' expects an integer argument.\n", file, linenum, args[0]);
@@ -6760,7 +6763,7 @@
continue;
}
- alloc_ctx = shared_context_init(global.tune.sslcachesize, (global.nbproc > 1) ? 1 : 0);
+ alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global.tune.sslprivatecache && (global.nbproc > 1)) ? 1 : 0);
if (alloc_ctx < 0) {
if (alloc_ctx == SHCTX_E_INIT_LOCK) {
Warning("Unable to init lock for the shared SSL session cache. Falling back to private cache.\n");