[RFC] event/openssl: Add dynamic record size support for serving ssl trafic

SplitIce mat999 at gmail.com
Wed May 13 04:57:00 UTC 2015


Good Job.

Perhaps rather than changing the constants, they could be exposed as
configuration options?

On Wed, May 13, 2015 at 12:28 PM, chen <gzchenym at 126.com> wrote:

> 1) we will have that fixed
> 2) no api is exposed by openssl that we can use to trigger a FLUSH, use
> SSL_write is what we can do. If we inspect the data using wireshark, you
> will find out that one SSL_write we result in one ssl record.
> 3) there are some old linux box that are still using IW4,
>
> To Q2 specifically, BIO_flush we disrupt the internal state of ssl
> layer? And it will be better if we let ssl layer itself handle the bio
> stuff.
>
>
>
>
>
> At 2015-05-05 21:39:40, "chen" <gzchenym at 126.com> wrote:
>
> Hi list:
> This is v1 of the patchset the implementing the feature SSL Dynamic Record
> Sizing, inspiring by Google Front End (
> https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/
> ) .
> There are 3 conditions, if true at the same time, may trigger SSL_write to
> send small record over the link, hard coded 1400 bytes at this time to keep
> it fit into MTU size. We just send out 3 of this small record at most to
> reduce framing overhead when serving large object, that is enough for
> browser to discovery other dependency of the page at top of html file. If
> the buffer chain is smaller than 4096 bytes, it will not justify the
> overhead of sending small record. After idle for 60s(hard coded at this
> moment), start all over again.
>
> Any comments is welcome.
>
> Regard
> YM
>
> hg export tip
> # HG changeset patch
> # User YM Chen <gzchenym at 126.com>
> # Date 1430828974 -28800
> # Node ID 31bfe6403c340bdc4c04e8e87721736c07bceef8
> # Parent  162b2d27d4e1ce45bb9217d6958348c64f726a28
> [RFC] event/openssl: Add dynamic record size support for serving ssl trafic
>
> SSL Dynamic Record Sizing is a long sought after feature for website that
> serving
> huge amount of encrypted traffic. The rational behide this is that SSL
> record should
> not overflow the congestion window at the beginning of slow-start period
> and by doing
> so, we can let the browser decode the first ssl record within 1 rtt and
> establish other
> connections to fetch other resources that are referenced at the top of the
> html file.
>
> diff -r 162b2d27d4e1 -r 31bfe6403c34 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c     Wed Apr 29 14:59:02 2015 +0300
> +++ b/src/event/ngx_event_openssl.c     Tue May 05 20:29:34 2015 +0800
> @@ -1508,6 +1508,11 @@
>      ngx_uint_t   flush;
>      ssize_t      send, size;
>      ngx_buf_t   *buf;
> +    ngx_msec_t   last_sent_timer_diff;
> +    ngx_uint_t   loop_count;
> +
> +    last_sent_timer_diff = ngx_current_msec - c->ssl->last_write_msec;
> +    loop_count = 0;
>
>      if (!c->ssl->buffer) {
>
> @@ -1517,7 +1522,13 @@
>                  continue;
>              }
>
> -            n = ngx_ssl_write(c, in->buf->pos, in->buf->last -
> in->buf->pos);
> +            size = in->buf->last - in->buf->pos;
> +
> +            if(last_sent_timer_diff > 1000*60 && loop_count < 3 && size >
> 4096) {
> +                size = 1400;
> +            }
> +
> +            n = ngx_ssl_write(c, in->buf->pos, size);
>
>              if (n == NGX_ERROR) {
>                  return NGX_CHAIN_ERROR;
> @@ -1532,8 +1543,11 @@
>              if (in->buf->pos == in->buf->last) {
>                  in = in->next;
>              }
> +
> +            loop_count ++;
>          }
>
> +        c->ssl->last_write_msec = ngx_current_msec;
>          return in;
>      }
>
> @@ -1614,9 +1628,14 @@
>          if (size == 0) {
>              buf->flush = 0;
>              c->buffered &= ~NGX_SSL_BUFFERED;
> +            c->ssl->last_write_msec = ngx_current_msec;
>              return in;
>          }
>
> +        if(last_sent_timer_diff > 1000*60 && loop_count < 3 && size >
> 4096) {
> +            size = 1400;
> +        }
> +
>          n = ngx_ssl_write(c, buf->pos, size);
>
>          if (n == NGX_ERROR) {
> @@ -1633,14 +1652,18 @@
>              break;
>          }
>
> -        flush = 0;
> -
> -        buf->pos = buf->start;
> -        buf->last = buf->start;
> +        if(buf->last == buf->pos) {
> +            flush = 0;
> +
> +            buf->pos = buf->start;
> +            buf->last = buf->start;
> +        }
>
>          if (in == NULL || send == limit) {
>              break;
>          }
> +
> +        loop_count++;
>      }
>
>      buf->flush = flush;
> @@ -1652,6 +1675,7 @@
>          c->buffered &= ~NGX_SSL_BUFFERED;
>      }
>
> +    c->ssl->last_write_msec = ngx_current_msec;
>      return in;
>  }
>
> diff -r 162b2d27d4e1 -r 31bfe6403c34 src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h     Wed Apr 29 14:59:02 2015 +0300
> +++ b/src/event/ngx_event_openssl.h     Tue May 05 20:29:34 2015 +0800
> @@ -51,6 +51,8 @@
>      ngx_buf_t                  *buf;
>      size_t                      buffer_size;
>
> +    ngx_msec_t                  last_write_msec;
> +
>      ngx_connection_handler_pt   handler;
>
>      ngx_event_handler_pt        saved_read_handler;
>
>
>
>
>
>
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150513/2486dcb1/attachment.html>


More information about the nginx-devel mailing list