Ssl cache pooling (kind of)

musicdenotation · March 22, 2014, 5:28pm

Hello,

I would like to know if we could replicate the shared memory over
multiple
servers.

One cannot reliably use the new ticket system since not all webbrowsers
support this.

My idea is to modify the ngx_shared_memory_add function to add a rpc
stack
to it.

We would write down the upstream servers we want to make aware of the
modification and send them the cache value.

The only remaining question is how to make a corresponding with the
mmap.

Is there a corresponding logic directly between the ssl handshake and
the
place in memory choosen ?
Are there any restrictions ?

Basically it would be a full replication of the cache on every server,
but
allowing dynamic allocation so that every server remains independant.

Since this does not consume that much of resources, we can easily
allocate
even 50Mo for the shared memory without any fear.

Before I start coding, I would like to know if there are any mistakes
in
the idea. I may have missed something huge.

Did I ?

Thanks

Posted at Nginx Forum:

larry · March 22, 2014, 10:46pm

Hello!

On Sat, Mar 22, 2014 at 12:28:16PM -0400, Larry wrote:

allowing dynamic allocation so that every server remains independant.

Since this does not consume that much of resources, we can easily allocate
even 50Mo for the shared memory without any fear.

Before I start coding, I would like to know if there are any mistakes in
the idea. I may have missed something huge.

Did I ?

You may have better luck adding replication logic to the session
cache.

The idea of replication of shared memory looks utterly broken, in
particular as there are pointers stored in shared memory (take a
look at ngx_ssl_new_session() for details).

–
Maxim D.
http://nginx.org/

larry · March 23, 2014, 11:50am

Yep,

Missed that -big- one. Failed idea.

Many example show how to loadbalance ssl without problems like lvs,
haproxy

http://virtuallyhyper.com/2013/05/configure-haproxy-to-load-balance-sites-with-ssl/

So, Am I basically creating an imaginary problem ?

And if so, why ssl ticket (rfc 5077) even exists ?

Posted at Nginx Forum:

larry · March 23, 2014, 3:18pm

Hello!

On Sun, Mar 23, 2014 at 06:50:18AM -0400, Larry wrote:

And if so, why ssl ticket (rfc 5077) even exists ?
Both session cache and session tickets are needed to reduce cost
of creating of new connections. It’s not something mandatory,
rather an optimization.

–
Maxim D.
http://nginx.org/

larry · March 24, 2014, 12:20pm

I will try to code something.

Should I put it back here if successful or not ?

Anyway, thanks for your knowledge Maxim.

Larry

Posted at Nginx Forum:

larry · March 24, 2014, 12:01pm

Thanks Maxim,

I will investigate it and get my results here.

Posted at Nginx Forum:

larry · March 24, 2014, 2:10pm

Hello!

On Mon, Mar 24, 2014 at 07:20:21AM -0400, Larry wrote:

I will try to code something.

Should I put it back here if successful or not ?

If you’ll produce something you will want to submit into
nginx, see Contributing Changes for
recommended approach.

–
Maxim D.
http://nginx.org/