diff --git a/include/types/global.h b/include/types/global.h index c945f53cc..fa93cbfab 100644 --- a/include/types/global.h +++ b/include/types/global.h @@ -90,11 +90,14 @@ struct global { struct freq_ctr conn_per_sec; struct freq_ctr sess_per_sec; struct freq_ctr ssl_per_sec; + struct freq_ctr ssl_fe_keys_per_sec; + struct freq_ctr ssl_be_keys_per_sec; struct freq_ctr comp_bps_in; /* bytes per second, before http compression */ struct freq_ctr comp_bps_out; /* bytes per second, after http compression */ int cps_lim, cps_max; int sps_lim, sps_max; int ssl_lim, ssl_max; + int ssl_fe_keys_max, ssl_be_keys_max; int comp_rate_lim; /* HTTP compression rate limit */ int maxpipes; /* max # of pipes */ int maxsock; /* max # of sockets */ diff --git a/src/dumpstats.c b/src/dumpstats.c index 1b5b3a1e2..038af887c 100644 --- a/src/dumpstats.c +++ b/src/dumpstats.c @@ -2420,6 +2420,17 @@ static int stats_dump_info_to_buffer(struct stream_interface *si) { unsigned int up = (now.tv_sec - start_date.tv_sec); +#ifdef USE_OPENSSL + int ssl_sess_rate = read_freq_ctr(&global.ssl_per_sec); + int ssl_key_rate = read_freq_ctr(&global.ssl_fe_keys_per_sec); + int ssl_reuse = 0; + + if (ssl_key_rate < ssl_sess_rate) { + /* count the ssl reuse ratio and avoid overflows in both directions */ + ssl_reuse = 100 - (100 * ssl_key_rate + (ssl_sess_rate - 1) / 2) / ssl_sess_rate; + } +#endif + chunk_printf(&trash, "Name: " PRODUCT_NAME "\n" "Version: " HAPROXY_VERSION "\n" @@ -2455,6 +2466,11 @@ static int stats_dump_info_to_buffer(struct stream_interface *si) "SslRate: %d\n" "SslRateLimit: %d\n" "MaxSslRate: %d\n" + "SslFrontendKeyRate: %d\n" + "SslFrontendMaxKeyRate: %d\n" + "SslFrontendSessionReuse_pct: %d\n" + "SslBackendKeyRate: %d\n" + "SslBackendMaxKeyRate: %d\n" #endif "CompressBpsIn: %u\n" "CompressBpsOut: %u\n" @@ -2485,7 +2501,10 @@ static int stats_dump_info_to_buffer(struct stream_interface *si) read_freq_ctr(&global.conn_per_sec), global.cps_lim, global.cps_max, read_freq_ctr(&global.sess_per_sec), global.sps_lim, global.sps_max, #ifdef USE_OPENSSL - read_freq_ctr(&global.ssl_per_sec), global.ssl_lim, global.ssl_max, + ssl_sess_rate, global.ssl_lim, global.ssl_max, + ssl_key_rate, global.ssl_fe_keys_max, + ssl_reuse, + read_freq_ctr(&global.ssl_be_keys_per_sec), global.ssl_be_keys_max, #endif read_freq_ctr(&global.comp_bps_in), read_freq_ctr(&global.comp_bps_out), global.comp_rate_lim, diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 880e7275b..b207580b6 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1447,14 +1447,23 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) reneg_ok: /* Handshake succeeded */ - if (objt_server(conn->target)) { - if (!SSL_session_reused(conn->xprt_ctx)) { + if (!SSL_session_reused(conn->xprt_ctx)) { + if (objt_server(conn->target)) { + update_freq_ctr(&global.ssl_be_keys_per_sec, 1); + if (global.ssl_be_keys_per_sec.curr_ctr > global.ssl_be_keys_max) + global.ssl_be_keys_max = global.ssl_be_keys_per_sec.curr_ctr; + /* check if session was reused, if not store current session on server for reuse */ if (objt_server(conn->target)->ssl_ctx.reused_sess) SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess); objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx); } + else { + update_freq_ctr(&global.ssl_fe_keys_per_sec, 1); + if (global.ssl_fe_keys_per_sec.curr_ctr > global.ssl_fe_keys_max) + global.ssl_fe_keys_max = global.ssl_fe_keys_per_sec.curr_ctr; + } } /* The connection is now established at both layers, it's time to leave */