Mercurial > hg > nginx

changeset 7008:29c6d66b83ba

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: set TCP_NODELAY on SSL connections before handshake. With OpenSSL 1.1.0+, the workaround for handshake buffer size as introduced in a720f0b0e083 (ticket #413) no longer works, as OpenSSL no longer exposes handshake buffers, see https://github.com/openssl/openssl/commit/2e7dc7cd688. Moreover, it is no longer possible to adjust handshake buffers at all now. To avoid additional RTT if handshake uses more than 4k we now set TCP_NODELAY on SSL connections before handshake. While this still results in sub-optimal network utilization due to incomplete packets being sent, it seems to be better than nothing.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 29 May 2017 16:34:29 +0300
parents ed1101bbf19f
children 03444167a3bb
files src/http/ngx_http_request.c src/stream/ngx_stream_ssl_module.c
diffstat 2 files changed, 27 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -623,14 +623,15 @@ ngx_http_create_request(ngx_connection_t
 static void
 ngx_http_ssl_handshake(ngx_event_t *rev)
 {
-    u_char                   *p, buf[NGX_PROXY_PROTOCOL_MAX_HEADER + 1];
-    size_t                    size;
-    ssize_t                   n;
-    ngx_err_t                 err;
-    ngx_int_t                 rc;
-    ngx_connection_t         *c;
-    ngx_http_connection_t    *hc;
-    ngx_http_ssl_srv_conf_t  *sscf;
+    u_char                    *p, buf[NGX_PROXY_PROTOCOL_MAX_HEADER + 1];
+    size_t                     size;
+    ssize_t                    n;
+    ngx_err_t                  err;
+    ngx_int_t                  rc;
+    ngx_connection_t          *c;
+    ngx_http_connection_t     *hc;
+    ngx_http_ssl_srv_conf_t   *sscf;
+    ngx_http_core_loc_conf_t  *clcf;
 
     c = rev->data;
     hc = c->data;
@@ -712,6 +713,14 @@ ngx_http_ssl_handshake(ngx_event_t *rev)
             ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0,
                            "https ssl handshake: 0x%02Xd", buf[0]);
 
+            clcf = ngx_http_get_module_loc_conf(hc->conf_ctx,
+                                                ngx_http_core_module);
+
+            if (clcf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
+                ngx_http_close_connection(c);
+                return;
+            }
+
             sscf = ngx_http_get_module_srv_conf(hc->conf_ctx,
                                                 ngx_http_ssl_module);
 
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -352,12 +352,19 @@ ngx_stream_ssl_handler(ngx_stream_sessio
 static ngx_int_t
 ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c)
 {
-    ngx_int_t               rc;
-    ngx_stream_session_t   *s;
-    ngx_stream_ssl_conf_t  *sslcf;
+    ngx_int_t                    rc;
+    ngx_stream_session_t        *s;
+    ngx_stream_ssl_conf_t       *sslcf;
+    ngx_stream_core_srv_conf_t  *cscf;
 
     s = c->data;
 
+    cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module);
+
+    if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
     if (ngx_ssl_create_connection(ssl, c, 0) == NGX_ERROR) {
         return NGX_ERROR;
     }