RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-15 16:04:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

DOC: tune: explain the origin of block size for ssl.cachesize

Browse Source 
A user could eventually ask himself where those 200 bytes block size are
coming from. This patch tries to better explain the origin in case
people are curious or want to double check the reality.

Signed-off-by: William Dauchy <wdauchy@gmail.com>
This commit is contained in:
William Dauchy 2021-02-12 15:58:46 +01:00 committed by Willy Tarreau
parent 4b10302fd8
commit 9a4bbfe151
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
doc/configuration.txt
View File

@ -2520,16 +2520,17 @@ tune.sndbuf.server <number>
tune.ssl.cachesize <number>
Sets the size of the global SSL session cache, in a number of blocks. A block
is large enough to contain an encoded session without peer certificate.
An encoded session with peer certificate is stored in multiple blocks
depending on the size of the peer certificate. A block uses approximately
200 bytes of memory. The default value may be forced at build time, otherwise
defaults to 20000. When the cache is full, the most idle entries are purged
and reassigned. Higher values reduce the occurrence of such a purge, hence
the number of CPU-intensive SSL handshakes by ensuring that all users keep
their session as long as possible. All entries are pre-allocated upon startup
and are shared between all processes if "nbproc" is greater than 1. Setting
this value to 0 disables the SSL session cache.
is large enough to contain an encoded session without peer certificate. An
encoded session with peer certificate is stored in multiple blocks depending
on the size of the peer certificate. A block uses approximately 200 bytes of
memory (based on `sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE`
calculation used for `shctx_init` function). The default value may be forced
at build time, otherwise defaults to 20000. When the cache is full, the most
idle entries are purged and reassigned. Higher values reduce the occurrence
of such a purge, hence the number of CPU-intensive SSL handshakes by ensuring
that all users keep their session as long as possible. All entries are
pre-allocated upon startup and are shared between all processes if "nbproc"
is greater than 1. Setting this value to 0 disables the SSL session cache.
tune.ssl.force-private-cache
This option disables SSL session cache sharing between all processes. It