From 08694cc9de5bb1bb3e58fae035a244e1917f6e6f Mon Sep 17 00:00:00 2001 From: Dayang Shen Date: Sun, 20 Mar 2022 14:29:26 +0800 Subject: [PATCH] Make certificate cache size configurable --- .../nginx-configuration/configmap.md | 9 +++++++ internal/ingress/controller/config/config.go | 5 ++++ rootfs/etc/nginx/lua/certificate.lua | 25 +++++++++---------- .../etc/nginx/lua/test/certificate_test.lua | 2 +- rootfs/etc/nginx/template/nginx.tmpl | 1 + 5 files changed, 28 insertions(+), 14 deletions(-) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 75971b9a5..9670e4652 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -95,6 +95,7 @@ The following table shows a configuration option's name, type, and the default v |[ssl-session-ticket-key](#ssl-session-ticket-key)|string|``| |[ssl-session-timeout](#ssl-session-timeout)|string|"10m"|| |[ssl-buffer-size](#ssl-buffer-size)|string|"4k"|| +|[ssl-certificate-cache-size](#ssl-certificate-cache-size)|int|1000| |[use-proxy-protocol](#use-proxy-protocol)|bool|"false"|| |[proxy-protocol-header-timeout](#proxy-protocol-header-timeout)|string|"5s"|| |[enable-aio-write](#enable-aio-write)|bool|"true"|| @@ -701,6 +702,14 @@ Sets the size of the [SSL buffer](https://nginx.org/en/docs/http/ngx_http_ssl_mo _References:_ [https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) +## ssl-certificate-cache-size + +Sets the size of cache that stores parsed SSL certificate objects. + +The cache helps reduce memory consumption of SSL context per connection. Increase the value if you have huge amount of certificates. + +_**default:**_ is 1000. + ## use-proxy-protocol Enables or disables the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAProxy and Amazon Elastic Load Balancer (ELB). diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index bad82b8b0..1a72850aa 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -413,6 +413,10 @@ type Configuration struct { // Default: false SSLRejectHandshake bool `json:"ssl-reject-handshake"` + // Sets the size of cache that stores parsed SSL certificate objects. + // The cache helps reduce memory consumption of SSL context per connection. + SSLCertificateCacheSize int `json:"ssl-certificate-cache-size,omitempty"` + // Enables or disables the use of the PROXY protocol to receive client connection // (real IP address) information passed through proxy servers and load balancers // such as HAproxy and Amazon Elastic Load Balancer (ELB). @@ -837,6 +841,7 @@ func NewDefault() Configuration { SSLSessionCacheSize: sslSessionCacheSize, SSLSessionTickets: false, SSLSessionTimeout: sslSessionTimeout, + SSLCertificateCacheSize: 1000, EnableBrotli: false, EnableAioWrite: true, UseGzip: false, diff --git a/rootfs/etc/nginx/lua/certificate.lua b/rootfs/etc/nginx/lua/certificate.lua index 63245073d..612184a2a 100644 --- a/rootfs/etc/nginx/lua/certificate.lua +++ b/rootfs/etc/nginx/lua/certificate.lua @@ -19,16 +19,7 @@ local DEFAULT_CERT_HOSTNAME = "_" local certificate_data = ngx.shared.certificate_data local certificate_servers = ngx.shared.certificate_servers local ocsp_response_cache = ngx.shared.ocsp_response_cache - -local CACHE_SIZE = 1000 -local cache -do - local err - cache, err = lrucache.new(CACHE_SIZE) - if not cache then - return error("failed to create the certificate cache: " .. (err or "unknown")) - end -end +local certificate_cache local function get_cert_and_priv_key(pem_cert_key) local cert, cert_err = ssl.parse_pem_cert(pem_cert_key) @@ -232,8 +223,16 @@ function _M.configured_for_current_request() return ngx.ctx.cert_configured_for_current_request end +function _M.set_cache_size(size) + local cache, err = lrucache.new(size) + if err then + ngx.log(ngx.ERR, string.format("failed to create the certificate cache: %s", tostring(err))) + end + certificate_cache = cache +end + function _M.flush_cache() - cache:flush_all() + certificate_cache:flush_all() end function _M.call() @@ -258,7 +257,7 @@ function _M.call() return end - local cached_entry = cache:get(pem_cert_uid) + local cached_entry = certificate_cache:get(pem_cert_uid) if cached_entry then cert = cached_entry.cert priv_key = cached_entry.priv_key @@ -283,7 +282,7 @@ function _M.call() return ngx.exit(ngx.ERROR) end - cache:set(pem_cert_uid, { cert = cert, priv_key = priv_key, der_cert = der_cert }) + certificate_cache:set(pem_cert_uid, { cert = cert, priv_key = priv_key, der_cert = der_cert }) end local clear_ok, clear_err = ssl.clear_certs() diff --git a/rootfs/etc/nginx/lua/test/certificate_test.lua b/rootfs/etc/nginx/lua/test/certificate_test.lua index ced4b80b7..8a0b3fee4 100644 --- a/rootfs/etc/nginx/lua/test/certificate_test.lua +++ b/rootfs/etc/nginx/lua/test/certificate_test.lua @@ -78,7 +78,7 @@ describe("Certificate", function() ngx.exit = function(status) end - + certificate.set_cache_size(1000) set_certificate(DEFAULT_CERT_HOSTNAME, DEFAULT_CERT, DEFAULT_UUID) end) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index d58be2880..2393c4f7c 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -112,6 +112,7 @@ http { else certificate = res certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }} + certificate.set_cache_size({{ $cfg.SSLCertificateCacheSize }}) end ok, res = pcall(require, "plugins")