[PATCH] SSL: raised limit for upstream session size
Sergey Kandaurov
pluknet at nginx.com
Fri Dec 22 14:28:34 UTC 2023
# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1703255284 -14400
# Fri Dec 22 18:28:04 2023 +0400
# Node ID a463fb67e143c051fd373d1df94e5813a37d5cea
# Parent 44266e0651c44f530c4aa66e68c1b9464a9acee7
SSL: raised limit for upstream session size.
Unlike shared session cache used to store multiple client SSL sessions and
which may be per a single SSL connection, sessions saved from upstream are
per upstream server peer, so there is no such multiplier effect, but they
may be of noticeably larger size due to session tickets being used.
It was observed that session tickets sent from JVM backends may result in
a decoded session size nearly the previous maximum session size limit of
4096 or slightly beyond. Raising the limit allows to save such sessions.
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -137,7 +137,8 @@ struct ngx_ssl_connection_s {
#define NGX_SSL_DFLT_BUILTIN_SCACHE -5
-#define NGX_SSL_MAX_SESSION_SIZE 4096
+#define NGX_SSL_MAX_SESSION_SIZE 4096
+#define NGX_SSL_CLIENT_MAX_SESSION_SIZE 8192
typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t;
diff --git a/src/http/ngx_http_upstream_round_robin.c b/src/http/ngx_http_upstream_round_robin.c
--- a/src/http/ngx_http_upstream_round_robin.c
+++ b/src/http/ngx_http_upstream_round_robin.c
@@ -685,7 +685,7 @@ ngx_http_upstream_set_round_robin_peer_s
int len;
const u_char *p;
ngx_http_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+ u_char buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
#endif
peer = rrp->current;
@@ -747,7 +747,7 @@ ngx_http_upstream_save_round_robin_peer_
int len;
u_char *p;
ngx_http_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+ u_char buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
#endif
#if (NGX_HTTP_UPSTREAM_ZONE)
@@ -768,7 +768,7 @@ ngx_http_upstream_save_round_robin_peer_
/* do not cache too big session */
- if (len > NGX_SSL_MAX_SESSION_SIZE) {
+ if (len > NGX_SSL_CLIENT_MAX_SESSION_SIZE) {
return;
}
diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c
--- a/src/stream/ngx_stream_upstream_round_robin.c
+++ b/src/stream/ngx_stream_upstream_round_robin.c
@@ -717,7 +717,7 @@ ngx_stream_upstream_set_round_robin_peer
int len;
const u_char *p;
ngx_stream_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+ u_char buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
#endif
peer = rrp->current;
@@ -779,7 +779,7 @@ ngx_stream_upstream_save_round_robin_pee
int len;
u_char *p;
ngx_stream_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+ u_char buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
#endif
#if (NGX_STREAM_UPSTREAM_ZONE)
@@ -800,7 +800,7 @@ ngx_stream_upstream_save_round_robin_pee
/* do not cache too big session */
- if (len > NGX_SSL_MAX_SESSION_SIZE) {
+ if (len > NGX_SSL_CLIENT_MAX_SESSION_SIZE) {
return;
}
More information about the nginx-devel
mailing list