SSL contexts reuse across locations
Pavel Pautov
P.Pautov at F5.com
Tue May 24 09:25:59 UTC 2022
Hi,
Attaching updated PoC patch, which also reuses contexts from 'http' level.
> -----Original Message-----
> From: Maxim Dounin <mdounin at mdounin.ru>
> Sent: Friday, May 20, 2022 16:23
>
> Hello!
>
> On Fri, May 20, 2022 at 06:52:54AM +0000, Pavel Pautov via nginx-devel wrote:
>
> > > -----Original Message-----
> > > From: Maxim Dounin <mdounin at mdounin.ru>
> > > Sent: Wednesday, May 18, 2022 11:32
> > [..]
> > > > At very least, ngx_http_proxy_set_ssl() needs to be converted
> > > > into ngx_http_proxy_create_ssl().
> > >
> > > You may want to focus on actually making the code more readable
> > > and abstracting it into ngx_http_proxy_set_ssl() instead.
> > > Something like ngx_http_upstream_hide_headers_hash() might be a
> > > good example on how to do it properly.
> >
> > Do you suggest to make ngx_http_proxy_set_ssl() responsible for
> > merging context related settings? I guess, we can do that, but
> > something like ngx_http_proxy_create_ssl() might be still
> > beneficial.
>
> No, I'm suggesting to use ngx_http_proxy_set_ssl() for what it
> currently does: create plcf->upstream.ssl. And extend it to
> inherit plcf->upstream.ssl when possible.
I went with ngx_http_proxy_create_ssl() for now (see patch), as I need to call it twice in some cases.
However, contexts reuse logic can be moved into separate function, as well. Especially if we are going to reuse it across modules.
> > > Also, it should be a good idea to avoid creating SSL contexts if
> > > there is no SSL proxying configured. Or, at very least, make sure
> > > only one context at the http level is used in such cases, so
> > > configurations with many servers won't suddenly blow up.
> >
>
> > The patch shouldn't cause a blow up to my understanding, expect perhaps for
> very specific configs like:
> > server {
> > proxy_ssl_session_reuse off;
> > location / {
> > proxy_ssl_session_reuse on;
> > proxy_pass https://backend;
> > }
> > }
> > Basically, one have to have "proxy_ssl_*" directives scattered
> > across hierarchy of locations with a single terminal "proxy_pass
> > https". If there are many terminal locations with different
> > proxy_passes, then increase shouldn't be that big. If there is
> > no terminal "proxy_pass https", then why are these proxy_ssl_*
> > options even there?
>
> Ah, it looks like I've misread your patch. With the existing
> approach it is not clear how do you expect it to actually fix the
> original problem as in the ticket, that is, a configuration like:
>
> http {
> proxy_ssl_trusted_certificate /etc/pki/tls/cert.pem;
>
> server {
> ...
> location ... { proxy_pass https://...; }
> location ... { proxy_pass https://...; }
> location ... { proxy_pass https://...; }
>
> }
> }
>
> With your patch, no SSL context will be created for the server{}
> block, so each location will have to create its own SSL context
> for proxying: exactly what we are trying to avoid.
Indeed, somehow I've assumed there is going to be a merge into 'http' from some 'null' location.
>
> [...]
>
> > That being said, I think, we can actually satisfy "no SSL
> > contexts without https" requirement by linking location configs
> > and traversing them backwards in a search for location with
> > "proxy_ssl_*" directives. I'd update patch with that approach in
> > mind.
>
> You may want to re-evaluate your understanding of the configuration
> merging process, and re-read the
> ngx_http_upstream_hide_headers_hash() function I've already
> mentioned above.
I did and I still find above a valid technique for achieving "no contexts without https proxy_pass" (not sure though, if it's still a requirement). There could be several layers of locations between "proxy_ssl_*" and proxy_pass and if we don't create context on the way down, we'll have to go up to create it for other nested locations to see it. Alternatively, I guess, we can use something like "ngx_ssl_t **" to have same placeholder for locations which would reuse context, and init it only if we hit "https proxy_pass".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_ctx_reuse.patch
Type: application/octet-stream
Size: 6615 bytes
Desc: ssl_ctx_reuse.patch
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20220524/5a1c60c6/attachment.obj>
More information about the nginx-devel
mailing list