SSL contexts reuse across locations

Pavel Pautov P.Pautov at F5.com
Wed May 18 07:20:51 UTC 2022


Hello,

Attaching POC patch for https://trac.nginx.org/nginx/ticket/1234.

At very least, ngx_http_proxy_set_ssl() needs to be converted into ngx_http_proxy_create_ssl(). But there are also a couple of things to discuss:

1. Patch uses pretty straightforward reuse criteria (absence of directives), but shall we go further, say, compare directive arguments (with special treatment of complex values with variables)?

2. Since similar change also makes sense for "grpc", "uwsgi" (and may be "stream proxy") modules, perhaps it's time to factor out SSL upstream settings code for all these modules to avoid copypasting of above patch? We can introduce something like "ngx_ssl_upstream_conf_t" to keep shared SSL settings and unite ngx_http_(proxy|grpc|uwsgi)_set_ssl functions. Config merge logic (together with attached patch) can be moved to something like ngx_ssl_upstream_conf_merge. Optionally, ngx_http_upstream_conf_t can be updated to contain ngx_ssl_upstream_conf_t.

Thanks,
Pavel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_ctx_reuse.patch
Type: application/octet-stream
Size: 2758 bytes
Desc: ssl_ctx_reuse.patch
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20220518/a51214ce/attachment.obj>


More information about the nginx-devel mailing list