Ssl cache pooling (kind of)

Hello,

I would like to know if we could replicate the shared memory over
multiple
servers.

One cannot reliably use the new ticket system since not all webbrowsers
support this.

My idea is to modify the ngx_shared_memory_add function to add a rpc
stack
to it.

We would write down the upstream servers we want to make aware of the
modification and send them the cache value.

The only remaining question is how to make a corresponding with the
mmap.

Is there a corresponding logic directly between the ssl handshake and
the
place in memory choosen ?
Are there any restrictions ?

Basically it would be a full replication of the cache on every server,
but
allowing dynamic allocation so that every server remains independant.

Since this does not consume that much of resources, we can easily
allocate
even 50Mo for the shared memory without any fear.

Before I start coding, I would like to know if there are any mistakes
in
the idea. I may have missed something huge.

Did I ?

Thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248588,248588#msg-248588

Hello!

On Sat, Mar 22, 2014 at 12:28:16PM -0400, Larry wrote:

allowing dynamic allocation so that every server remains independant.

Since this does not consume that much of resources, we can easily allocate
even 50Mo for the shared memory without any fear.

Before I start coding, I would like to know if there are any mistakes in
the idea. I may have missed something huge.

Did I ?

You may have better luck adding replication logic to the session
cache.

The idea of replication of shared memory looks utterly broken, in
particular as there are pointers stored in shared memory (take a
look at ngx_ssl_new_session() for details).


Maxim D.
http://nginx.org/

Yep,

Missed that -big- one. Failed idea.

Many example show how to loadbalance ssl without problems like lvs,
haproxy

http://virtuallyhyper.com/2013/05/configure-haproxy-to-load-balance-sites-with-ssl/

So, Am I basically creating an imaginary problem ?

And if so, why ssl ticket (rfc 5077) even exists ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248588,248593#msg-248593

Hello!

On Sun, Mar 23, 2014 at 06:50:18AM -0400, Larry wrote:

And if so, why ssl ticket (rfc 5077) even exists ?
Both session cache and session tickets are needed to reduce cost
of creating of new connections. It’s not something mandatory,
rather an optimization.


Maxim D.
http://nginx.org/

I will try to code something.

Should I put it back here if successful or not ?

Anyway, thanks for your knowledge Maxim.

Larry

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248588,248610#msg-248610

Thanks Maxim,

I will investigate it and get my results here.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248588,248614#msg-248614

Hello!

On Mon, Mar 24, 2014 at 07:20:21AM -0400, Larry wrote:

I will try to code something.

Should I put it back here if successful or not ?

If you’ll produce something you will want to submit into
nginx, see http://nginx.org/en/docs/contributing_changes.html for
recommended approach.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs