nginx and ssl problem

Igor Sysoev is at rambler-co.ru
Tue Jul 24 19:07:28 MSD 2007


On Tue, Jul 24, 2007 at 02:18:33PM +0300, Pavel wrote:

> В Nginx временами умирает SSL. Что в тот момнет в логе сейчас к 
> сожалению не могу сказать.

Попробуйте патч. Несмотря на имя, для 0.5.26 должен подойти.


-- 
Игорь Сысоев
http://sysoev.ru
-------------- next part --------------
Index: src/http/ngx_http_upstream.c
===================================================================
--- src/http/ngx_http_upstream.c	(revision 602)
+++ src/http/ngx_http_upstream.c	(working copy)
@@ -657,7 +657,7 @@
     c->sendfile = 0;
     u->output.sendfile = 0;
 
-    if (ngx_ssl_set_session(c, u->peer.ssl_session) != NGX_OK) {
+    if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) {
         ngx_http_upstream_finalize_request(r, u,
                                            NGX_HTTP_INTERNAL_SERVER_ERROR);
         return;
Index: src/http/ngx_http_upstream_round_robin.c
===================================================================
--- src/http/ngx_http_upstream_round_robin.c	(revision 602)
+++ src/http/ngx_http_upstream_round_robin.c	(working copy)
@@ -152,7 +152,10 @@
     r->upstream->peer.free = ngx_http_upstream_free_round_robin_peer;
     r->upstream->peer.tries = rrp->peers->number;
 #if (NGX_HTTP_SSL)
-    r->upstream->peer.save_session = ngx_http_upstream_save_round_robin_peer;
+    r->upstream->peer.set_session =
+                               ngx_http_upstream_set_round_robin_peer_session;
+    r->upstream->peer.save_session =
+                               ngx_http_upstream_save_round_robin_peer_session;
 #endif
 
     return NGX_OK;
@@ -328,9 +331,6 @@
     pc->sockaddr = peer->sockaddr;
     pc->socklen = peer->socklen;
     pc->name = &peer->name;
-#if (NGX_SSL)
-    pc->ssl_session = peer->ssl_session;
-#endif
 
     /* ngx_unlock_mutex(rrp->peers->mutex); */
 
@@ -408,29 +408,70 @@
 
 #if (NGX_HTTP_SSL)
 
-void
-ngx_http_upstream_save_round_robin_peer(ngx_peer_connection_t *pc, void *data)
+ngx_int_t
+ngx_http_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
+    void *data)
 {
     ngx_http_upstream_rr_peer_data_t  *rrp = data;
 
+    ngx_int_t                     rc;
     ngx_ssl_session_t            *ssl_session;
     ngx_http_upstream_rr_peer_t  *peer;
 
+    peer = &rrp->peers->peer[rrp->current];
+
+    /* ngx_lock_mutex(rrp->peers->mutex); */
+
+    ssl_session = peer->ssl_session;
+
+    rc = ngx_ssl_set_session(pc->connection, ssl_session);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+                  "set session: %p:%d",
+                  ssl_session, ssl_session ? ssl_session->references : 0);
+
+    /* ngx_unlock_mutex(rrp->peers->mutex); */
+
+    return rc;
+}
+
+
+void
+ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
+    void *data)
+{
+    ngx_http_upstream_rr_peer_data_t  *rrp = data;
+
+    ngx_ssl_session_t            *old_ssl_session, *ssl_session;
+    ngx_http_upstream_rr_peer_t  *peer;
+
     ssl_session = ngx_ssl_get_session(pc->connection);
 
     if (ssl_session == NULL) {
         return;
     }
 
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+                  "save session: %p:%d", ssl_session, ssl_session->references);
+
     peer = &rrp->peers->peer[rrp->current];
 
     /* ngx_lock_mutex(rrp->peers->mutex); */
+
+    old_ssl_session = peer->ssl_session;
     peer->ssl_session = ssl_session;
+
     /* ngx_unlock_mutex(rrp->peers->mutex); */
 
-    if (pc->ssl_session) {
+    if (old_ssl_session) {
+
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+                      "old session: %p:%d",
+                       old_ssl_session, old_ssl_session->references);
+
         /* TODO: may block */
-        ngx_ssl_free_session(pc->ssl_session);
+
+        ngx_ssl_free_session(old_ssl_session);
     }
 }
 
Index: src/http/ngx_http_upstream_round_robin.h
===================================================================
--- src/http/ngx_http_upstream_round_robin.h	(revision 602)
+++ src/http/ngx_http_upstream_round_robin.h	(working copy)
@@ -30,7 +30,7 @@
     ngx_uint_t                      down;          /* unsigned  down:1; */
 
 #if (NGX_SSL)
-    ngx_ssl_session_t              *ssl_session;
+    ngx_ssl_session_t              *ssl_session;   /* local to a process */
 #endif
 } ngx_http_upstream_rr_peer_t;
 
@@ -68,8 +68,11 @@
     void *data, ngx_uint_t state);
 
 #if (NGX_HTTP_SSL)
-void ngx_http_upstream_save_round_robin_peer(ngx_peer_connection_t *pc,
+ngx_int_t
+    ngx_http_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
     void *data);
+void ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
+    void *data);
 #endif
 
 
Index: src/http/modules/ngx_http_upstream_ip_hash_module.c
===================================================================
--- src/http/modules/ngx_http_upstream_ip_hash_module.c	(revision 602)
+++ src/http/modules/ngx_http_upstream_ip_hash_module.c	(working copy)
@@ -198,9 +198,6 @@
     pc->sockaddr = peer->sockaddr;
     pc->socklen = peer->socklen;
     pc->name = &peer->name;
-#if (NGX_SSL)
-    pc->ssl_session = peer->ssl_session;
-#endif
 
     /* ngx_unlock_mutex(iphp->rrp.peers->mutex); */
 
Index: src/event/ngx_event_connect.h
===================================================================
--- src/event/ngx_event_connect.h	(revision 602)
+++ src/event/ngx_event_connect.h	(working copy)
@@ -13,50 +13,56 @@
 #include <ngx_event.h>
 
 
-#define NGX_PEER_KEEPALIVE   1
-#define NGX_PEER_NEXT        2
-#define NGX_PEER_FAILED      4
+#define NGX_PEER_KEEPALIVE           1
+#define NGX_PEER_NEXT                2
+#define NGX_PEER_FAILED              4
 
 
 typedef struct ngx_peer_connection_s  ngx_peer_connection_t;
 
 typedef ngx_int_t (*ngx_event_get_peer_pt)(ngx_peer_connection_t *pc,
     void *data);
-#if (NGX_SSL)
-typedef void (*ngx_event_save_peer_pt)(ngx_peer_connection_t *pc, void *data);
-#endif
 typedef void (*ngx_event_free_peer_pt)(ngx_peer_connection_t *pc, void *data,
     ngx_uint_t state);
+#if (NGX_SSL)
 
+typedef ngx_int_t (*ngx_event_set_peer_session_pt)(ngx_peer_connection_t *pc,
+    void *data);
+typedef void (*ngx_event_save_peer_session_pt)(ngx_peer_connection_t *pc,
+    void *data);
+#endif
 
+
 struct ngx_peer_connection_s {
-    ngx_connection_t        *connection;
+    ngx_connection_t                *connection;
 
-    struct sockaddr         *sockaddr;
-    socklen_t                socklen;
-    ngx_str_t               *name;
+    struct sockaddr                 *sockaddr;
+    socklen_t                        socklen;
+    ngx_str_t                       *name;
 
-    ngx_uint_t               tries;
+    ngx_uint_t                       tries;
 
-    ngx_event_get_peer_pt    get;
-    ngx_event_free_peer_pt   free;
-    void                    *data;
+    ngx_event_get_peer_pt            get;
+    ngx_event_free_peer_pt           free;
+    void                            *data;
 
 #if (NGX_SSL)
-    ngx_ssl_session_t       *ssl_session;
-    ngx_event_save_peer_pt   save_session;
+    ngx_event_set_peer_session_pt    set_session;
+    ngx_event_save_peer_session_pt   save_session;
 #endif
 
 #if (NGX_THREADS)
-    ngx_atomic_t            *lock;
+    ngx_atomic_t                    *lock;
 #endif
 
-    int                      rcvbuf;
+    int                              rcvbuf;
 
-    ngx_log_t               *log;
+    ngx_log_t                       *log;
 
-    unsigned                 cached:1;
-    unsigned                 log_error:2;  /* ngx_connection_log_error_e */
+    unsigned                         cached:1;
+
+                                     /* ngx_connection_log_error_e */
+    unsigned                         log_error:2;
 };
 
 


More information about the nginx-ru mailing list