[nginx] SSL: set TCP_NODELAY on SSL connections before handshake.
Maxim Dounin
mdounin at mdounin.ru
Mon May 29 13:43:55 UTC 2017
details: http://hg.nginx.org/nginx/rev/29c6d66b83ba
branches:
changeset: 7008:29c6d66b83ba
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon May 29 16:34:29 2017 +0300
description:
SSL: set TCP_NODELAY on SSL connections before handshake.
With OpenSSL 1.1.0+, the workaround for handshake buffer size as introduced
in a720f0b0e083 (ticket #413) no longer works, as OpenSSL no longer exposes
handshake buffers, see https://github.com/openssl/openssl/commit/2e7dc7cd688.
Moreover, it is no longer possible to adjust handshake buffers at all now.
To avoid additional RTT if handshake uses more than 4k we now set TCP_NODELAY
on SSL connections before handshake. While this still results in sub-optimal
network utilization due to incomplete packets being sent, it seems to be
better than nothing.
diffstat:
src/http/ngx_http_request.c | 25 +++++++++++++++++--------
src/stream/ngx_stream_ssl_module.c | 13 ++++++++++---
2 files changed, 27 insertions(+), 11 deletions(-)
diffs (68 lines):
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -623,14 +623,15 @@ ngx_http_create_request(ngx_connection_t
static void
ngx_http_ssl_handshake(ngx_event_t *rev)
{
- u_char *p, buf[NGX_PROXY_PROTOCOL_MAX_HEADER + 1];
- size_t size;
- ssize_t n;
- ngx_err_t err;
- ngx_int_t rc;
- ngx_connection_t *c;
- ngx_http_connection_t *hc;
- ngx_http_ssl_srv_conf_t *sscf;
+ u_char *p, buf[NGX_PROXY_PROTOCOL_MAX_HEADER + 1];
+ size_t size;
+ ssize_t n;
+ ngx_err_t err;
+ ngx_int_t rc;
+ ngx_connection_t *c;
+ ngx_http_connection_t *hc;
+ ngx_http_ssl_srv_conf_t *sscf;
+ ngx_http_core_loc_conf_t *clcf;
c = rev->data;
hc = c->data;
@@ -712,6 +713,14 @@ ngx_http_ssl_handshake(ngx_event_t *rev)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"https ssl handshake: 0x%02Xd", buf[0]);
+ clcf = ngx_http_get_module_loc_conf(hc->conf_ctx,
+ ngx_http_core_module);
+
+ if (clcf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
+ ngx_http_close_connection(c);
+ return;
+ }
+
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx,
ngx_http_ssl_module);
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -352,12 +352,19 @@ ngx_stream_ssl_handler(ngx_stream_sessio
static ngx_int_t
ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c)
{
- ngx_int_t rc;
- ngx_stream_session_t *s;
- ngx_stream_ssl_conf_t *sslcf;
+ ngx_int_t rc;
+ ngx_stream_session_t *s;
+ ngx_stream_ssl_conf_t *sslcf;
+ ngx_stream_core_srv_conf_t *cscf;
s = c->data;
+ cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module);
+
+ if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
if (ngx_ssl_create_connection(ssl, c, 0) == NGX_ERROR) {
return NGX_ERROR;
}
More information about the nginx-devel
mailing list