From: Willy Tarreau Date: Wed, 28 May 2014 10:28:58 +0000 (+0200) Subject: MINOR: stats: report SSL key computations per second X-Git-Tag: v1.5-dev26~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c9c2720dcf67604543c1450a2bfb63d2781b9af;p=thirdparty%2Fhaproxy.git MINOR: stats: report SSL key computations per second It's commonly needed to know how many SSL asymmetric keys are computed per second on either side (frontend or backend), and to know the SSL session reuse ratio. Now we compute these values and report them in "show info". --- diff --git a/include/types/global.h b/include/types/global.h index c945f53cc9..fa93cbfab5 100644 --- a/include/types/global.h +++ b/include/types/global.h @@ -90,11 +90,14 @@ struct global { struct freq_ctr conn_per_sec; struct freq_ctr sess_per_sec; struct freq_ctr ssl_per_sec; + struct freq_ctr ssl_fe_keys_per_sec; + struct freq_ctr ssl_be_keys_per_sec; struct freq_ctr comp_bps_in; /* bytes per second, before http compression */ struct freq_ctr comp_bps_out; /* bytes per second, after http compression */ int cps_lim, cps_max; int sps_lim, sps_max; int ssl_lim, ssl_max; + int ssl_fe_keys_max, ssl_be_keys_max; int comp_rate_lim; /* HTTP compression rate limit */ int maxpipes; /* max # of pipes */ int maxsock; /* max # of sockets */ diff --git a/src/dumpstats.c b/src/dumpstats.c index 1b5b3a1e27..038af887ce 100644 --- a/src/dumpstats.c +++ b/src/dumpstats.c @@ -2420,6 +2420,17 @@ static int stats_dump_info_to_buffer(struct stream_interface *si) { unsigned int up = (now.tv_sec - start_date.tv_sec); +#ifdef USE_OPENSSL + int ssl_sess_rate = read_freq_ctr(&global.ssl_per_sec); + int ssl_key_rate = read_freq_ctr(&global.ssl_fe_keys_per_sec); + int ssl_reuse = 0; + + if (ssl_key_rate < ssl_sess_rate) { + /* count the ssl reuse ratio and avoid overflows in both directions */ + ssl_reuse = 100 - (100 * ssl_key_rate + (ssl_sess_rate - 1) / 2) / ssl_sess_rate; + } +#endif + chunk_printf(&trash, "Name: " PRODUCT_NAME "\n" "Version: " HAPROXY_VERSION "\n" @@ -2455,6 +2466,11 @@ static int stats_dump_info_to_buffer(struct stream_interface *si) "SslRate: %d\n" "SslRateLimit: %d\n" "MaxSslRate: %d\n" + "SslFrontendKeyRate: %d\n" + "SslFrontendMaxKeyRate: %d\n" + "SslFrontendSessionReuse_pct: %d\n" + "SslBackendKeyRate: %d\n" + "SslBackendMaxKeyRate: %d\n" #endif "CompressBpsIn: %u\n" "CompressBpsOut: %u\n" @@ -2485,7 +2501,10 @@ static int stats_dump_info_to_buffer(struct stream_interface *si) read_freq_ctr(&global.conn_per_sec), global.cps_lim, global.cps_max, read_freq_ctr(&global.sess_per_sec), global.sps_lim, global.sps_max, #ifdef USE_OPENSSL - read_freq_ctr(&global.ssl_per_sec), global.ssl_lim, global.ssl_max, + ssl_sess_rate, global.ssl_lim, global.ssl_max, + ssl_key_rate, global.ssl_fe_keys_max, + ssl_reuse, + read_freq_ctr(&global.ssl_be_keys_per_sec), global.ssl_be_keys_max, #endif read_freq_ctr(&global.comp_bps_in), read_freq_ctr(&global.comp_bps_out), global.comp_rate_lim, diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 880e7275b0..b207580b68 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1447,14 +1447,23 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) reneg_ok: /* Handshake succeeded */ - if (objt_server(conn->target)) { - if (!SSL_session_reused(conn->xprt_ctx)) { + if (!SSL_session_reused(conn->xprt_ctx)) { + if (objt_server(conn->target)) { + update_freq_ctr(&global.ssl_be_keys_per_sec, 1); + if (global.ssl_be_keys_per_sec.curr_ctr > global.ssl_be_keys_max) + global.ssl_be_keys_max = global.ssl_be_keys_per_sec.curr_ctr; + /* check if session was reused, if not store current session on server for reuse */ if (objt_server(conn->target)->ssl_ctx.reused_sess) SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess); objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx); } + else { + update_freq_ctr(&global.ssl_fe_keys_per_sec, 1); + if (global.ssl_fe_keys_per_sec.curr_ctr > global.ssl_fe_keys_max) + global.ssl_fe_keys_max = global.ssl_fe_keys_per_sec.curr_ctr; + } } /* The connection is now established at both layers, it's time to leave */