Forum: NGINX ssl cache pooling (kind of)

2974d09ac2541e892966b762aad84943?d=identicon&s=25 Larry (Guest)
on 2014-03-22 17:28
(Received via mailing list)
Hello,

I would like to know if we could replicate the shared memory over
multiple
servers.

One cannot reliably use the new ticket system since not all webbrowsers
support this.

My idea is to modify the ngx_shared_memory_add function to add a rpc
stack
to it.

We would write down the upstream servers we want to make aware of the
modification and send them the cache value.

The only remaining question is how to make a corresponding with the
mmap.

Is there a corresponding logic directly between the ssl handshake and
the
place in memory choosen ?
Are there any restrictions ?

Basically it would be a full replication of the cache on every server,
but
allowing dynamic allocation so that every server remains independant.

Since this does not consume that much of resources, we can easily
allocate
even 50Mo for the shared memory without any fear.

Before I start coding,  I would like to know if there are any mistakes
in
the idea. I may have missed something huge.

Did I ?

Thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248588,248588#msg-248588
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-03-22 22:46
(Received via mailing list)
Hello!

On Sat, Mar 22, 2014 at 12:28:16PM -0400, Larry wrote:

>
> allowing dynamic allocation so that every server remains independant.
>
> Since this does not consume that much of resources, we can easily allocate
> even 50Mo for the shared memory without any fear.
>
> Before I start coding,  I would like to know if there are any mistakes in
> the idea. I may have missed something huge.
>
> Did I ?

You may have better luck adding replication logic to the session
cache.

The idea of replication of shared memory looks utterly broken, in
particular as there are pointers stored in shared memory (take a
look at ngx_ssl_new_session() for details).

--
Maxim Dounin
http://nginx.org/
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Larry (Guest)
on 2014-03-23 11:50
(Received via mailing list)
Yep,

Missed that -big- one. Failed idea.

Many example show how to loadbalance ssl without problems like lvs,
haproxy

http://virtuallyhyper.com/2013/05/configure-haprox...

So, Am I basically creating an imaginary problem ?

And if so, why ssl ticket (rfc 5077) even exists ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248588,248593#msg-248593
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-03-23 15:18
(Received via mailing list)
Hello!

On Sun, Mar 23, 2014 at 06:50:18AM -0400, Larry wrote:

> And if so, why ssl ticket (rfc 5077) even exists ?
Both session cache and session tickets are needed to reduce cost
of creating of new connections.  It's not something mandatory,
rather an optimization.

--
Maxim Dounin
http://nginx.org/
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Larry (Guest)
on 2014-03-24 12:01
(Received via mailing list)
Thanks Maxim,

I will investigate it and get my results here.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248588,248614#msg-248614
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Larry (Guest)
on 2014-03-24 12:20
(Received via mailing list)
I will try to code something.

Should I put it back here if successful or not ?

Anyway, thanks for your knowledge Maxim.

Larry

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248588,248610#msg-248610
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-03-24 14:10
(Received via mailing list)
Hello!

On Mon, Mar 24, 2014 at 07:20:21AM -0400, Larry wrote:

> I will try to code something.
>
> Should I put it back here if successful or not ?

If you'll produce something you will want to submit into
nginx, see http://nginx.org/en/docs/contributing_changes.html for
recommended approach.

--
Maxim Dounin
http://nginx.org/
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.