Fwd: Automatic pooling of upstream keepalive connections (patch proposal)

Maxim Dounin mdounin at mdounin.ru
Wed Sep 11 16:32:59 UTC 2013


Hello!

On Wed, Sep 11, 2013 at 06:54:00PM +0300, Greg Vishnepolsky wrote:

[...]

> However, in case of SSL connections, it is insufficient to identify a peer
> according to the sockaddr. The hostname is important. For examlple:
> https://a.host.com resolves to 1.1.1.1:443
> https://b.host.com also resoves to 1.1.1.1:443
> If the server at 1.1.1.1 holds an SSL cert _only_ for a.host.com, it would
> be wrong to use keepalive connections that were opened to this sockaddr for
> requests for b.host.com. If a connection will not be reused, during SSL
> handshake the host cert can be properly verified for each new host.
> The solution that I implemented for this is to add a "host" field to
> "ngx_http_upstream_keepalive_cache_t" and
> "ngx_http_upstream_keepalive_peer_data_t". The function
> "ngx_http_upstream_get_keepalive_peer" now also checks that the host
> matches, as well as the sockaddr to reuse a keepalive connection.

As of now, there is no SSL certificate verification in proxy, and 
hence there is no need for a check here.

With ceritificate verification introduction some check will be 
needed, but just a host equality check might be suboptimal - e.g., a 
certificate might be for *.example.com, and both a.example.com and 
b.example.com are valid hostnames for a connection, but a host 
check won't allow a connection reuse.   Possible solution would be 
to check SSL peer name on an already established connection.

SNI will also complicate things once introduced.  But much like 
the certificate verification, it's a separate problem.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list