Attachment 224911 Details for Bug 255850 – dynamic tls patch

dynamic tls patch

www_nginx_dynamic_tls.patch.txt (text/plain), 8.88 KB, created by Ryan Steinmetz on 2021-05-13 19:26:21 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ryan Steinmetz

Created: 2021-05-13 19:26:21 UTC

Size: 8.88 KB

patch

obsolete

>diff --git a/www/nginx/Makefile b/www/nginx/Makefile
>index c664aeb35..1f876403e 100644
>--- a/www/nginx/Makefile
>+++ b/www/nginx/Makefile
>@@ -2,7 +2,7 @@
> 
> PORTNAME=	nginx
> PORTVERSION=	1.20.0
>-PORTREVISION?=	1
>+PORTREVISION?=	2
> PORTEPOCH=	2
> CATEGORIES=	www
> MASTER_SITES=	https://nginx.org/download/ \
>diff --git a/www/nginx/Makefile.extmod b/www/nginx/Makefile.extmod
>index bf4bb53f8..daaac6da5 100644
>--- a/www/nginx/Makefile.extmod
>+++ b/www/nginx/Makefile.extmod
>@@ -35,6 +35,8 @@ DRIZZLE_GH_TUPLE=	openresty:drizzle-nginx-module:v0.1.11:drizzle
> DRIZZLE_EXTRA_PATCHES=	${PATCHDIR}/extra-patch-openresty-drizzle-nginx-module-config
> DRIZZLE_VARS=		DSO_EXTMODS+=drizzle
> 
>+DYNAMIC_TLS_EXTRA_PATCHES=	${PATCHDIR}/extra-patch-dynamic-tls
>+
> DYNAMIC_UPSTREAM_GH_TUPLE=	ZigzagAK:ngx_dynamic_upstream:960eef2:dynamic_upstream
> DYNAMIC_UPSTREAM_VARS=		DSO_EXTMODS+=dynamic_upstream
> 
>diff --git a/www/nginx/files/extra-patch-dynamic-tls b/www/nginx/files/extra-patch-dynamic-tls
>new file mode 100644
>index 000000000..86b617a55
>--- /dev/null
>+++ b/www/nginx/files/extra-patch-dynamic-tls
>@@ -0,0 +1,225 @@
>+--- src/event/ngx_event_openssl.c.orig	2021-04-20 13:35:47 UTC
>++++ src/event/ngx_event_openssl.c
>+@@ -1616,6 +1616,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
>+ 
>+     sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
>+     sc->buffer_size = ssl->buffer_size;
>++    sc->dyn_rec = ssl->dyn_rec;
>+ 
>+     sc->session_ctx = ssl->ctx;
>+ 
>+@@ -2555,6 +2556,41 @@ ngx_ssl_send_chain(ngx_connection_t *c, 
>+ 
>+     for ( ;; ) {
>+ 
>++        /* Dynamic record resizing:
>++           We want the initial records to fit into one TCP segment
>++           so we don't get TCP HoL blocking due to TCP Slow Start.
>++           A connection always starts with small records, but after
>++           a given amount of records sent, we make the records larger
>++           to reduce header overhead.
>++           After a connection has idled for a given timeout, begin
>++           the process from the start. The actual parameters are
>++           configurable. If dyn_rec_timeout is 0, we assume dyn_rec is off. */
>++
>++        if (c->ssl->dyn_rec.timeout > 0 ) {
>++
>++            if (ngx_current_msec - c->ssl->dyn_rec_last_write >
>++                c->ssl->dyn_rec.timeout)
>++            {
>++                buf->end = buf->start + c->ssl->dyn_rec.size_lo;
>++                c->ssl->dyn_rec_records_sent = 0;
>++
>++            } else {
>++                if (c->ssl->dyn_rec_records_sent >
>++                    c->ssl->dyn_rec.threshold * 2)
>++                {
>++                    buf->end = buf->start + c->ssl->buffer_size;
>++
>++                } else if (c->ssl->dyn_rec_records_sent >
>++                           c->ssl->dyn_rec.threshold)
>++                {
>++                    buf->end = buf->start + c->ssl->dyn_rec.size_hi;
>++
>++                } else {
>++                    buf->end = buf->start + c->ssl->dyn_rec.size_lo;
>++                }
>++            }
>++        }
>++
>+         while (in && buf->last < buf->end && send < limit) {
>+             if (in->buf->last_buf || in->buf->flush) {
>+                 flush = 1;
>+@@ -2662,6 +2698,9 @@ ngx_ssl_write(ngx_connection_t *c, u_cha
>+ 
>+     if (n > 0) {
>+ 
>++        c->ssl->dyn_rec_records_sent++;
>++        c->ssl->dyn_rec_last_write = ngx_current_msec;
>++
>+         if (c->ssl->saved_read_handler) {
>+ 
>+             c->read->handler = c->ssl->saved_read_handler;
>+--- src/event/ngx_event_openssl.h.orig	2021-04-20 13:35:47 UTC
>++++ src/event/ngx_event_openssl.h
>+@@ -66,11 +66,19 @@
>+ 
>+ typedef struct ngx_ssl_ocsp_s  ngx_ssl_ocsp_t;
>+ 
>++typedef struct {
>++    ngx_msec_t                  timeout;
>++    ngx_uint_t                  threshold;
>++    size_t                      size_lo;
>++    size_t                      size_hi;
>++} ngx_ssl_dyn_rec_t;
>++
>+ 
>+ struct ngx_ssl_s {
>+     SSL_CTX                    *ctx;
>+     ngx_log_t                  *log;
>+     size_t                      buffer_size;
>++    ngx_ssl_dyn_rec_t           dyn_rec;
>+ };
>+ 
>+ 
>+@@ -106,6 +114,10 @@ struct ngx_ssl_connection_s {
>+     unsigned                    in_ocsp:1;
>+     unsigned                    early_preread:1;
>+     unsigned                    write_blocked:1;
>++
>++    ngx_ssl_dyn_rec_t           dyn_rec;
>++    ngx_msec_t                  dyn_rec_last_write;
>++    ngx_uint_t                  dyn_rec_records_sent;
>+ };
>+ 
>+ 
>+@@ -115,7 +127,7 @@ struct ngx_ssl_connection_s {
>+ #define NGX_SSL_DFLT_BUILTIN_SCACHE  -5
>+ 
>+ 
>+-#define NGX_SSL_MAX_SESSION_SIZE  4096
>++#define NGX_SSL_MAX_SESSION_SIZE  16384
>+ 
>+ typedef struct ngx_ssl_sess_id_s  ngx_ssl_sess_id_t;
>+ 
>+--- src/http/modules/ngx_http_ssl_module.c.orig	2021-04-20 13:35:47 UTC
>++++ src/http/modules/ngx_http_ssl_module.c
>+@@ -301,6 +301,41 @@ static ngx_command_t  ngx_http_ssl_comma
>+       offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
>+       NULL },
>+ 
>++    { ngx_string("ssl_dyn_rec_enable"),
>++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
>++      ngx_conf_set_flag_slot,
>++      NGX_HTTP_SRV_CONF_OFFSET,
>++      offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_enable),
>++      NULL },
>++
>++    { ngx_string("ssl_dyn_rec_timeout"),
>++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
>++      ngx_conf_set_msec_slot,
>++      NGX_HTTP_SRV_CONF_OFFSET,
>++      offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_timeout),
>++      NULL },
>++
>++    { ngx_string("ssl_dyn_rec_size_lo"),
>++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
>++      ngx_conf_set_size_slot,
>++      NGX_HTTP_SRV_CONF_OFFSET,
>++      offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_lo),
>++      NULL },
>++
>++    { ngx_string("ssl_dyn_rec_size_hi"),
>++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
>++      ngx_conf_set_size_slot,
>++      NGX_HTTP_SRV_CONF_OFFSET,
>++      offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_hi),
>++      NULL },
>++
>++    { ngx_string("ssl_dyn_rec_threshold"),
>++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
>++      ngx_conf_set_num_slot,
>++      NGX_HTTP_SRV_CONF_OFFSET,
>++      offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_threshold),
>++      NULL },
>++
>+       ngx_null_command
>+ };
>+ 
>+@@ -637,6 +672,11 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t 
>+     sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
>+     sscf->stapling = NGX_CONF_UNSET;
>+     sscf->stapling_verify = NGX_CONF_UNSET;
>++    sscf->dyn_rec_enable = NGX_CONF_UNSET;
>++    sscf->dyn_rec_timeout = NGX_CONF_UNSET_MSEC;
>++    sscf->dyn_rec_size_lo = NGX_CONF_UNSET_SIZE;
>++    sscf->dyn_rec_size_hi = NGX_CONF_UNSET_SIZE;
>++    sscf->dyn_rec_threshold = NGX_CONF_UNSET_UINT;
>+ 
>+     return sscf;
>+ }
>+@@ -712,6 +752,20 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
>+     ngx_conf_merge_str_value(conf->stapling_responder,
>+                          prev->stapling_responder, "");
>+ 
>++    ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0);
>++    ngx_conf_merge_msec_value(conf->dyn_rec_timeout, prev->dyn_rec_timeout,
>++                             1000);
>++    /* Default sizes for the dynamic record sizes are defined to fit maximal
>++       TLS + IPv6 overhead in a single TCP segment for lo and 3 segments for hi:
>++       1369 = 1500 - 40 (IP) - 20 (TCP) - 10 (Time) - 61 (Max TLS overhead) */
>++    ngx_conf_merge_size_value(conf->dyn_rec_size_lo, prev->dyn_rec_size_lo,
>++                             1369);
>++    /* 4229 = (1500 - 40 - 20 - 10) * 3  - 61 */
>++    ngx_conf_merge_size_value(conf->dyn_rec_size_hi, prev->dyn_rec_size_hi,
>++                             4229);
>++    ngx_conf_merge_uint_value(conf->dyn_rec_threshold, prev->dyn_rec_threshold,
>++                             40);
>++
>+     conf->ssl.log = cf->log;
>+ 
>+     if (conf->enable) {
>+@@ -943,6 +997,28 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
>+         return NGX_CONF_ERROR;
>+     }
>+ 
>++    if (conf->dyn_rec_enable) {
>++        conf->ssl.dyn_rec.timeout = conf->dyn_rec_timeout;
>++        conf->ssl.dyn_rec.threshold = conf->dyn_rec_threshold;
>++
>++        if (conf->buffer_size > conf->dyn_rec_size_lo) {
>++            conf->ssl.dyn_rec.size_lo = conf->dyn_rec_size_lo;
>++
>++        } else {
>++            conf->ssl.dyn_rec.size_lo = conf->buffer_size;
>++        }
>++
>++        if (conf->buffer_size > conf->dyn_rec_size_hi) {
>++            conf->ssl.dyn_rec.size_hi = conf->dyn_rec_size_hi;
>++
>++        } else {
>++            conf->ssl.dyn_rec.size_hi = conf->buffer_size;
>++        }
>++
>++    } else {
>++        conf->ssl.dyn_rec.timeout = 0;
>++    }
>++
>+     return NGX_CONF_OK;
>+ }
>+ 
>+--- src/http/modules/ngx_http_ssl_module.h.orig	2021-04-20 13:35:47 UTC
>++++ src/http/modules/ngx_http_ssl_module.h
>+@@ -67,6 +67,12 @@ typedef struct {
>+ 
>+     u_char                         *file;
>+     ngx_uint_t                      line;
>++
>++    ngx_flag_t                      dyn_rec_enable;
>++    ngx_msec_t                      dyn_rec_timeout;
>++    size_t                          dyn_rec_size_lo;
>++    size_t                          dyn_rec_size_hi;
>++    ngx_uint_t                      dyn_rec_threshold;
>+ } ngx_http_ssl_srv_conf_t;
>+ 
>+

Actions: View

Attachments on bug 255850: 224911