From: Remi Gacogne Date: Tue, 8 Jun 2021 13:40:11 +0000 (+0200) Subject: dnsdist: Make the TLS session cache for outgoing connections tunable X-Git-Tag: dnsdist-1.7.0-alpha1~45^2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65193dcfaa118ef666aeb97a0d5cc9426cf29d63;p=thirdparty%2Fpdns.git dnsdist: Make the TLS session cache for outgoing connections tunable --- diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index 989d6bab28..69663e5191 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -43,6 +43,7 @@ #include "dnsdist-proxy-protocol.hh" #include "dnsdist-rings.hh" #include "dnsdist-secpoll.hh" +#include "dnsdist-session-cache.hh" #include "dnsdist-tcp-downstream.hh" #include "dnsdist-web.hh" @@ -1238,6 +1239,30 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) setMaxCachedTCPConnectionsPerDownstream(max); }); + luaCtx.writeFunction("setOutgoingTLSSessionsCacheMaxTicketsPerBackend", [](uint16_t max) { + if (g_configurationDone) { + g_outputBuffer = "setOutgoingTLSSessionsCacheMaxTicketsPerBackend() cannot be called at runtime!\n"; + return; + } + TLSSessionCache::setMaxTicketsPerBackend(max); + }); + + luaCtx.writeFunction("setOutgoingTLSSessionsCacheCleanupDelay", [](time_t delay) { + if (g_configurationDone) { + g_outputBuffer = "setOutgoingTLSSessionsCacheCleanupDelay() cannot be called at runtime!\n"; + return; + } + TLSSessionCache::setCleanupDelay(delay); + }); + + luaCtx.writeFunction("setOutgoingTLSSessionsCacheMaxTicketValidity", [](time_t validity) { + if (g_configurationDone) { + g_outputBuffer = "setOutgoingTLSSessionsCacheMaxTicketValidity() cannot be called at runtime!\n"; + return; + } + TLSSessionCache::setSessionValidity(validity); + }); + luaCtx.writeFunction("setCacheCleaningDelay", [](uint32_t delay) { g_cacheCleaningDelay = delay; }); luaCtx.writeFunction("setCacheCleaningPercentage", [](uint16_t percentage) { if (percentage < 100) g_cacheCleaningPercentage = percentage; else g_cacheCleaningPercentage = 100; }); diff --git a/pdns/dnsdistdist/dnsdist-session-cache.cc b/pdns/dnsdistdist/dnsdist-session-cache.cc index be67c925d6..67de195360 100644 --- a/pdns/dnsdistdist/dnsdist-session-cache.cc +++ b/pdns/dnsdistdist/dnsdist-session-cache.cc @@ -23,8 +23,9 @@ TLSSessionCache g_sessionCache; -time_t const TLSSessionCache::s_cleanupDelay{60}; -time_t const TLSSessionCache::s_sessionValidity{600}; +time_t TLSSessionCache::s_cleanupDelay{60}; +time_t TLSSessionCache::s_sessionValidity{600}; +uint16_t TLSSessionCache::s_maxSessionsPerBackend{20}; void TLSSessionCache::cleanup(time_t now, const std::lock_guard& lock) { @@ -50,7 +51,7 @@ void TLSSessionCache::putSession(const boost::uuids::uuid& backendID, time_t now } auto& entry = d_sessions[backendID]; - if (entry.d_sessions.size() >= d_maxSessionsPerBackend) { + if (entry.d_sessions.size() >= s_maxSessionsPerBackend) { entry.d_sessions.pop_back(); } entry.d_sessions.push_front(std::move(session)); diff --git a/pdns/dnsdistdist/dnsdist-session-cache.hh b/pdns/dnsdistdist/dnsdist-session-cache.hh index 598c483382..6cae14034b 100644 --- a/pdns/dnsdistdist/dnsdist-session-cache.hh +++ b/pdns/dnsdistdist/dnsdist-session-cache.hh @@ -38,9 +38,25 @@ public: void putSession(const boost::uuids::uuid& backendID, time_t now, std::unique_ptr&& session); std::unique_ptr getSession(const boost::uuids::uuid& backendID, time_t now); + static void setCleanupDelay(time_t delay) + { + s_cleanupDelay = delay; + } + + static void setSessionValidity(time_t validity) + { + s_sessionValidity = validity; + } + + static void setMaxTicketsPerBackend(uint16_t max) + { + s_maxSessionsPerBackend = max; + } + private: - static time_t const s_cleanupDelay; - static time_t const s_sessionValidity; + static time_t s_cleanupDelay; + static time_t s_sessionValidity; + static uint16_t s_maxSessionsPerBackend; struct BackendEntry { @@ -52,7 +68,6 @@ private: // do we need to shard this? std::mutex d_lock; time_t d_nextCleanup{0}; - uint16_t d_maxSessionsPerBackend{20}; }; extern TLSSessionCache g_sessionCache;