FreeBSD Bugzilla – Attachment 224911 Details for
Bug 255850
[patch] www/nginx: restore dynamic tls patch
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
dynamic tls patch
www_nginx_dynamic_tls.patch.txt (text/plain), 8.88 KB, created by
Ryan Steinmetz
on 2021-05-13 19:26:21 UTC
(
hide
)
Description:
dynamic tls patch
Filename:
MIME Type:
Creator:
Ryan Steinmetz
Created:
2021-05-13 19:26:21 UTC
Size:
8.88 KB
patch
obsolete
>diff --git a/www/nginx/Makefile b/www/nginx/Makefile >index c664aeb35..1f876403e 100644 >--- a/www/nginx/Makefile >+++ b/www/nginx/Makefile >@@ -2,7 +2,7 @@ > > PORTNAME= nginx > PORTVERSION= 1.20.0 >-PORTREVISION?= 1 >+PORTREVISION?= 2 > PORTEPOCH= 2 > CATEGORIES= www > MASTER_SITES= https://nginx.org/download/ \ >diff --git a/www/nginx/Makefile.extmod b/www/nginx/Makefile.extmod >index bf4bb53f8..daaac6da5 100644 >--- a/www/nginx/Makefile.extmod >+++ b/www/nginx/Makefile.extmod >@@ -35,6 +35,8 @@ DRIZZLE_GH_TUPLE= openresty:drizzle-nginx-module:v0.1.11:drizzle > DRIZZLE_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-openresty-drizzle-nginx-module-config > DRIZZLE_VARS= DSO_EXTMODS+=drizzle > >+DYNAMIC_TLS_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-dynamic-tls >+ > DYNAMIC_UPSTREAM_GH_TUPLE= ZigzagAK:ngx_dynamic_upstream:960eef2:dynamic_upstream > DYNAMIC_UPSTREAM_VARS= DSO_EXTMODS+=dynamic_upstream > >diff --git a/www/nginx/files/extra-patch-dynamic-tls b/www/nginx/files/extra-patch-dynamic-tls >new file mode 100644 >index 000000000..86b617a55 >--- /dev/null >+++ b/www/nginx/files/extra-patch-dynamic-tls >@@ -0,0 +1,225 @@ >+--- src/event/ngx_event_openssl.c.orig 2021-04-20 13:35:47 UTC >++++ src/event/ngx_event_openssl.c >+@@ -1616,6 +1616,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl >+ >+ sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); >+ sc->buffer_size = ssl->buffer_size; >++ sc->dyn_rec = ssl->dyn_rec; >+ >+ sc->session_ctx = ssl->ctx; >+ >+@@ -2555,6 +2556,41 @@ ngx_ssl_send_chain(ngx_connection_t *c, >+ >+ for ( ;; ) { >+ >++ /* Dynamic record resizing: >++ We want the initial records to fit into one TCP segment >++ so we don't get TCP HoL blocking due to TCP Slow Start. >++ A connection always starts with small records, but after >++ a given amount of records sent, we make the records larger >++ to reduce header overhead. >++ After a connection has idled for a given timeout, begin >++ the process from the start. The actual parameters are >++ configurable. If dyn_rec_timeout is 0, we assume dyn_rec is off. */ >++ >++ if (c->ssl->dyn_rec.timeout > 0 ) { >++ >++ if (ngx_current_msec - c->ssl->dyn_rec_last_write > >++ c->ssl->dyn_rec.timeout) >++ { >++ buf->end = buf->start + c->ssl->dyn_rec.size_lo; >++ c->ssl->dyn_rec_records_sent = 0; >++ >++ } else { >++ if (c->ssl->dyn_rec_records_sent > >++ c->ssl->dyn_rec.threshold * 2) >++ { >++ buf->end = buf->start + c->ssl->buffer_size; >++ >++ } else if (c->ssl->dyn_rec_records_sent > >++ c->ssl->dyn_rec.threshold) >++ { >++ buf->end = buf->start + c->ssl->dyn_rec.size_hi; >++ >++ } else { >++ buf->end = buf->start + c->ssl->dyn_rec.size_lo; >++ } >++ } >++ } >++ >+ while (in && buf->last < buf->end && send < limit) { >+ if (in->buf->last_buf || in->buf->flush) { >+ flush = 1; >+@@ -2662,6 +2698,9 @@ ngx_ssl_write(ngx_connection_t *c, u_cha >+ >+ if (n > 0) { >+ >++ c->ssl->dyn_rec_records_sent++; >++ c->ssl->dyn_rec_last_write = ngx_current_msec; >++ >+ if (c->ssl->saved_read_handler) { >+ >+ c->read->handler = c->ssl->saved_read_handler; >+--- src/event/ngx_event_openssl.h.orig 2021-04-20 13:35:47 UTC >++++ src/event/ngx_event_openssl.h >+@@ -66,11 +66,19 @@ >+ >+ typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t; >+ >++typedef struct { >++ ngx_msec_t timeout; >++ ngx_uint_t threshold; >++ size_t size_lo; >++ size_t size_hi; >++} ngx_ssl_dyn_rec_t; >++ >+ >+ struct ngx_ssl_s { >+ SSL_CTX *ctx; >+ ngx_log_t *log; >+ size_t buffer_size; >++ ngx_ssl_dyn_rec_t dyn_rec; >+ }; >+ >+ >+@@ -106,6 +114,10 @@ struct ngx_ssl_connection_s { >+ unsigned in_ocsp:1; >+ unsigned early_preread:1; >+ unsigned write_blocked:1; >++ >++ ngx_ssl_dyn_rec_t dyn_rec; >++ ngx_msec_t dyn_rec_last_write; >++ ngx_uint_t dyn_rec_records_sent; >+ }; >+ >+ >+@@ -115,7 +127,7 @@ struct ngx_ssl_connection_s { >+ #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 >+ >+ >+-#define NGX_SSL_MAX_SESSION_SIZE 4096 >++#define NGX_SSL_MAX_SESSION_SIZE 16384 >+ >+ typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; >+ >+--- src/http/modules/ngx_http_ssl_module.c.orig 2021-04-20 13:35:47 UTC >++++ src/http/modules/ngx_http_ssl_module.c >+@@ -301,6 +301,41 @@ static ngx_command_t ngx_http_ssl_comma >+ offsetof(ngx_http_ssl_srv_conf_t, reject_handshake), >+ NULL }, >+ >++ { ngx_string("ssl_dyn_rec_enable"), >++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, >++ ngx_conf_set_flag_slot, >++ NGX_HTTP_SRV_CONF_OFFSET, >++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_enable), >++ NULL }, >++ >++ { ngx_string("ssl_dyn_rec_timeout"), >++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, >++ ngx_conf_set_msec_slot, >++ NGX_HTTP_SRV_CONF_OFFSET, >++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_timeout), >++ NULL }, >++ >++ { ngx_string("ssl_dyn_rec_size_lo"), >++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, >++ ngx_conf_set_size_slot, >++ NGX_HTTP_SRV_CONF_OFFSET, >++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_lo), >++ NULL }, >++ >++ { ngx_string("ssl_dyn_rec_size_hi"), >++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, >++ ngx_conf_set_size_slot, >++ NGX_HTTP_SRV_CONF_OFFSET, >++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_hi), >++ NULL }, >++ >++ { ngx_string("ssl_dyn_rec_threshold"), >++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, >++ ngx_conf_set_num_slot, >++ NGX_HTTP_SRV_CONF_OFFSET, >++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_threshold), >++ NULL }, >++ >+ ngx_null_command >+ }; >+ >+@@ -637,6 +672,11 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t >+ sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR; >+ sscf->stapling = NGX_CONF_UNSET; >+ sscf->stapling_verify = NGX_CONF_UNSET; >++ sscf->dyn_rec_enable = NGX_CONF_UNSET; >++ sscf->dyn_rec_timeout = NGX_CONF_UNSET_MSEC; >++ sscf->dyn_rec_size_lo = NGX_CONF_UNSET_SIZE; >++ sscf->dyn_rec_size_hi = NGX_CONF_UNSET_SIZE; >++ sscf->dyn_rec_threshold = NGX_CONF_UNSET_UINT; >+ >+ return sscf; >+ } >+@@ -712,6 +752,20 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * >+ ngx_conf_merge_str_value(conf->stapling_responder, >+ prev->stapling_responder, ""); >+ >++ ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0); >++ ngx_conf_merge_msec_value(conf->dyn_rec_timeout, prev->dyn_rec_timeout, >++ 1000); >++ /* Default sizes for the dynamic record sizes are defined to fit maximal >++ TLS + IPv6 overhead in a single TCP segment for lo and 3 segments for hi: >++ 1369 = 1500 - 40 (IP) - 20 (TCP) - 10 (Time) - 61 (Max TLS overhead) */ >++ ngx_conf_merge_size_value(conf->dyn_rec_size_lo, prev->dyn_rec_size_lo, >++ 1369); >++ /* 4229 = (1500 - 40 - 20 - 10) * 3 - 61 */ >++ ngx_conf_merge_size_value(conf->dyn_rec_size_hi, prev->dyn_rec_size_hi, >++ 4229); >++ ngx_conf_merge_uint_value(conf->dyn_rec_threshold, prev->dyn_rec_threshold, >++ 40); >++ >+ conf->ssl.log = cf->log; >+ >+ if (conf->enable) { >+@@ -943,6 +997,28 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * >+ return NGX_CONF_ERROR; >+ } >+ >++ if (conf->dyn_rec_enable) { >++ conf->ssl.dyn_rec.timeout = conf->dyn_rec_timeout; >++ conf->ssl.dyn_rec.threshold = conf->dyn_rec_threshold; >++ >++ if (conf->buffer_size > conf->dyn_rec_size_lo) { >++ conf->ssl.dyn_rec.size_lo = conf->dyn_rec_size_lo; >++ >++ } else { >++ conf->ssl.dyn_rec.size_lo = conf->buffer_size; >++ } >++ >++ if (conf->buffer_size > conf->dyn_rec_size_hi) { >++ conf->ssl.dyn_rec.size_hi = conf->dyn_rec_size_hi; >++ >++ } else { >++ conf->ssl.dyn_rec.size_hi = conf->buffer_size; >++ } >++ >++ } else { >++ conf->ssl.dyn_rec.timeout = 0; >++ } >++ >+ return NGX_CONF_OK; >+ } >+ >+--- src/http/modules/ngx_http_ssl_module.h.orig 2021-04-20 13:35:47 UTC >++++ src/http/modules/ngx_http_ssl_module.h >+@@ -67,6 +67,12 @@ typedef struct { >+ >+ u_char *file; >+ ngx_uint_t line; >++ >++ ngx_flag_t dyn_rec_enable; >++ ngx_msec_t dyn_rec_timeout; >++ size_t dyn_rec_size_lo; >++ size_t dyn_rec_size_hi; >++ ngx_uint_t dyn_rec_threshold; >+ } ngx_http_ssl_srv_conf_t; >+ >+
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 255850
: 224911