MINOR: stats: report SSL key computations per second

It's commonly needed to know how many SSL asymmetric keys are computed
per second on either side (frontend or backend), and to know the SSL
session reuse ratio. Now we compute these values and report them in
"show info".

diff --git a/include/types/global.h b/include/types/global.h
index c945f53cc9698e10a9b878cb297f7c9d9ba3c7d5..fa93cbfab5a9a1578f2c1e9f80ba29c5a86a73e3 100644 (file)
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -90,11 +90,14 @@ struct global {
        struct freq_ctr conn_per_sec;
        struct freq_ctr sess_per_sec;
        struct freq_ctr ssl_per_sec;
+       struct freq_ctr ssl_fe_keys_per_sec;
+       struct freq_ctr ssl_be_keys_per_sec;
        struct freq_ctr comp_bps_in;    /* bytes per second, before http compression */
        struct freq_ctr comp_bps_out;   /* bytes per second, after http compression */
        int cps_lim, cps_max;
        int sps_lim, sps_max;
        int ssl_lim, ssl_max;
+       int ssl_fe_keys_max, ssl_be_keys_max;
        int comp_rate_lim;           /* HTTP compression rate limit */
        int maxpipes;           /* max # of pipes */
        int maxsock;            /* max # of sockets */

diff --git a/src/dumpstats.c b/src/dumpstats.c
index 1b5b3a1e27743b5e6682705ead1448eb5a10bb7f..038af887ce2bc6955b7a9b35399e05b3b2714174 100644 (file)
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -2420,6 +2420,17 @@ static int stats_dump_info_to_buffer(struct stream_interface *si)
 {
        unsigned int up = (now.tv_sec - start_date.tv_sec);
 
+#ifdef USE_OPENSSL
+       int ssl_sess_rate = read_freq_ctr(&global.ssl_per_sec);
+       int ssl_key_rate = read_freq_ctr(&global.ssl_fe_keys_per_sec);
+       int ssl_reuse = 0;
+
+       if (ssl_key_rate < ssl_sess_rate) {
+               /* count the ssl reuse ratio and avoid overflows in both directions */
+               ssl_reuse = 100 - (100 * ssl_key_rate + (ssl_sess_rate - 1) / 2) / ssl_sess_rate;
+       }
+#endif
+
        chunk_printf(&trash,
                     "Name: " PRODUCT_NAME "\n"
                     "Version: " HAPROXY_VERSION "\n"
@@ -2455,6 +2466,11 @@ static int stats_dump_info_to_buffer(struct stream_interface *si)
                     "SslRate: %d\n"
                     "SslRateLimit: %d\n"
                     "MaxSslRate: %d\n"
+                    "SslFrontendKeyRate: %d\n"
+                    "SslFrontendMaxKeyRate: %d\n"
+                    "SslFrontendSessionReuse_pct: %d\n"
+                    "SslBackendKeyRate: %d\n"
+                    "SslBackendMaxKeyRate: %d\n"
 #endif
                     "CompressBpsIn: %u\n"
                     "CompressBpsOut: %u\n"
@@ -2485,7 +2501,10 @@ static int stats_dump_info_to_buffer(struct stream_interface *si)
                     read_freq_ctr(&global.conn_per_sec), global.cps_lim, global.cps_max,
                     read_freq_ctr(&global.sess_per_sec), global.sps_lim, global.sps_max,
 #ifdef USE_OPENSSL
-                    read_freq_ctr(&global.ssl_per_sec), global.ssl_lim, global.ssl_max,
+                    ssl_sess_rate, global.ssl_lim, global.ssl_max,
+                    ssl_key_rate, global.ssl_fe_keys_max,
+                    ssl_reuse,
+                    read_freq_ctr(&global.ssl_be_keys_per_sec), global.ssl_be_keys_max,
 #endif
                     read_freq_ctr(&global.comp_bps_in), read_freq_ctr(&global.comp_bps_out),
                     global.comp_rate_lim,

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 880e7275b0881e4dc908f31f9f482f74be481c22..b207580b689154a08a22c8972beed5021013b6b0 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1447,14 +1447,23 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
 reneg_ok:
 
        /* Handshake succeeded */
-       if (objt_server(conn->target)) {
-               if (!SSL_session_reused(conn->xprt_ctx)) {
+       if (!SSL_session_reused(conn->xprt_ctx)) {
+               if (objt_server(conn->target)) {
+                       update_freq_ctr(&global.ssl_be_keys_per_sec, 1);
+                       if (global.ssl_be_keys_per_sec.curr_ctr > global.ssl_be_keys_max)
+                               global.ssl_be_keys_max = global.ssl_be_keys_per_sec.curr_ctr;
+
                        /* check if session was reused, if not store current session on server for reuse */
                        if (objt_server(conn->target)->ssl_ctx.reused_sess)
                                SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
 
                        objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
                }
+               else {
+                       update_freq_ctr(&global.ssl_fe_keys_per_sec, 1);
+                       if (global.ssl_fe_keys_per_sec.curr_ctr > global.ssl_fe_keys_max)
+                               global.ssl_fe_keys_max = global.ssl_fe_keys_per_sec.curr_ctr;
+               }
        }
 
        /* The connection is now established at both layers, it's time to leave */