Hello!
On Sun, Jan 10, 2016 at 11:05 PM, sreekanth Madhavan wrote:
> I am working on distributed session caching using SSL session ID for nginx
> cluster deployment. I came across openresty presentation regarding the
> implementation details and would like to know more details like:
>
> 1) Proposed solution required openSSL patch for changing the TLS server
> state machine. Is the patched OpenSSL code available for reference ?
Yes. See
http://openssl.6102.n7.nabble.com/PATCH-OpenSSL-1-0-2-making-it-possible-to-do-async-session-lookup-during-session-resumption-td62027.html
>
> 2) When is Openresty going to make a release with shared session
> implementation. I could not get the ssl-session-by-lua branch.
>
We'll opensource the ssl-session-by-lua branch of ngx_lua very soon.
But it will take some time to get the branch actually merged into an
OpenResty release.
> 3) Is there any sample lua code and configuration available to try out the
> shared session setup using openresty ?
>
Just wrote down a quick nginx.conf snippet to demonstrate the idea
(this snippet is untested though):
server {
listen 443 ssl;
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;
lua_shared_dict ssl_sessions 800m;
ssl_session_fetch_by_lua_block {
local ngx_ssl_session = require "ngx.ssl.session"
local key, err = ngx_ssl_session.get_session_id()
if not key then
ngx.log(ngx.ERR, "failed to get SSL session ID: ", key)
return
end
-- fetch the session from lua_shared_dict via the key,
-- if missing, fetch the session from memcached via
-- the lua-resty-memcached library.
local shm_store = ngx.shared.ssl_sessions
local session = shm_store:get(key)
if not session then
-- here we assume the user has implemented the
-- my_fetch_from_memcached() Lua function below.
session = my_fetch_from_memcached(key)
end
if session then
-- being a cache hit
local ok, err =
ngx_ssl_session.set_serialized_ssl_session(session)
if not ok then
ngx.log(ngx.ERR, "failed to set cached SSL session: ", err)
return
end
end
}
ssl_session_store_by_lua_block {
local ngx_ssl_session = require "ngx.ssl.session"
local session, err = ngx_ssl_session.get_serialized_ssl_session()
if err then
ngx.log(ngx.ERR, "failed to retrieve new SSL session: ", err)
return
end
local key, err = ngx_ssl_session.get_session_id()
if not key then
ngx.log(ngx.ERR, "failed to get SSL session ID: ", key)
return
end
-- store the SSL session to shm:
local shm_store = ngx.shared.ssl_sessions
local ok, err = shm_store:set(key, session)
if not ok then
ngx.log(ngx.ERR, "failed to set SSL session to shm: ", err)
end
-- store the SSL session to memcached asynchronously
-- for production, we should avoid dynamic closure creation like
-- below though.
local function async_store_handler(premature, key, session, ttl)
local ok, err = my_store_to_memcached(key, session, ttl)
if not ok then
ngx.log(ngx.ERR, "failed to store the SSL session to ",
"memcached: ", err)
return
end
end
local ttl = 30000 -- 30 sec
local ok, err = ngx.timer.at(0, async_store_handler, key,
session, ttl)
if not ok then
ngx.log(ngx.ERR, "failed to create a 0-delay timer: ", err)
return
end
}
}
Regards,
-agentzh