Distributed Session cache using memcached

sreekanthskm · 2016-01-11T15:05:19+00:00

On Monday, 11 January 2016 12:17:41 UTC+2, Aapo Talvensaari wrote:On Sunday, 10 January 2016 15:24:03 UTC+2, 朱大仙儿 wrote:how can...

Distributed Session cache using memcached

sreekanthskm

Hi,

I am working on distributed session caching using SSL session ID for nginx cluster deployment. I came across openresty presentation regarding the implementation details and would like to know more details like:

1) Proposed solution required openSSL patch for changing the TLS server state machine. Is the patched OpenSSL code available for reference ?

2) When is Openresty going to make a release with shared session implementation. I could not get the ssl-session-by-lua branch.

3) Is there any sample lua code and configuration available to try out the shared session setup using openresty ?

Thanks,

Sreekanth

agentzh

Hello!

On Sun, Jan 10, 2016 at 11:05 PM, sreekanth Madhavan wrote:
> I am working on distributed session caching using SSL session ID for nginx
> cluster deployment.  I came across openresty presentation regarding the
> implementation details and would like to know more details like:
>
> 1) Proposed solution required openSSL patch for changing the TLS server
> state machine.  Is the patched OpenSSL code available for reference ?

Yes. See

    http://openssl.6102.n7.nabble.com/PATCH-OpenSSL-1-0-2-making-it-possible-to-do-async-session-lookup-during-session-resumption-td62027.html

>
> 2) When is Openresty going to make a release with shared session
> implementation. I could not get the ssl-session-by-lua branch.
>

We'll opensource the ssl-session-by-lua branch of ngx_lua very soon.
But it will take some time to get the branch actually merged into an
OpenResty release.

> 3) Is there any sample lua code and configuration available to try out the
> shared session setup using openresty ?
>

Just wrote down a quick nginx.conf snippet to demonstrate the idea
(this snippet is untested though):

    server {
        listen 443 ssl;

        ssl_certificate /path/to/ssl.crt;
        ssl_certificate_key /path/to/ssl.key;

        lua_shared_dict ssl_sessions 800m;

        ssl_session_fetch_by_lua_block {
            local ngx_ssl_session = require "ngx.ssl.session"

            local key, err = ngx_ssl_session.get_session_id()
            if not key then
                ngx.log(ngx.ERR, "failed to get SSL session ID: ", key)
                return
            end

            -- fetch the session from lua_shared_dict via the key,
            -- if missing, fetch the session from memcached via
            -- the lua-resty-memcached library.

            local shm_store = ngx.shared.ssl_sessions

            local session = shm_store:get(key)
            if not session then
                -- here we assume the user has implemented the
                -- my_fetch_from_memcached() Lua function below.
                session = my_fetch_from_memcached(key)
            end

            if session then
                -- being a cache hit
                local ok, err =
                    ngx_ssl_session.set_serialized_ssl_session(session)
                if not ok then
                    ngx.log(ngx.ERR, "failed to set cached SSL session: ", err)
                    return
                end
            end
        }

        ssl_session_store_by_lua_block {
            local ngx_ssl_session = require "ngx.ssl.session"

            local session, err = ngx_ssl_session.get_serialized_ssl_session()
            if err then
                ngx.log(ngx.ERR, "failed to retrieve new SSL session: ", err)
                return
            end

            local key, err = ngx_ssl_session.get_session_id()
            if not key then
                ngx.log(ngx.ERR, "failed to get SSL session ID: ", key)
                return
            end

            -- store the SSL session to shm:

            local shm_store = ngx.shared.ssl_sessions

            local ok, err = shm_store:set(key, session)
            if not ok then
                ngx.log(ngx.ERR, "failed to set SSL session to shm: ", err)
            end

            -- store the SSL session to memcached asynchronously

            -- for production, we should avoid dynamic closure creation like
            -- below though.
            local function async_store_handler(premature, key, session, ttl)
                local ok, err = my_store_to_memcached(key, session, ttl)
                if not ok then
                    ngx.log(ngx.ERR, "failed to store the SSL session to ",
                            "memcached: ", err)
                    return
                end
            end

            local ttl = 30000  -- 30 sec
            local ok, err = ngx.timer.at(0, async_store_handler, key,
session, ttl)
            if not ok then
                ngx.log(ngx.ERR, "failed to create a 0-delay timer: ", err)
                return
            end
        }
    }

Regards,
-agentzh

sreekanthskm

Hi,

Great..

I am looking forward for ssl-session-by-lua branch.

Thanks,

Sreekanth

On Monday, January 11, 2016 at 11:26:37 PM UTC+5:30, agentzh wrote:

Hello!

On Sun, Jan 10, 2016 at 11:05 PM, sreekanth Madhavan wrote:
> I am working on distributed session caching using SSL session ID for nginx
> cluster deployment. I came across openresty presentation regarding the
> implementation details and would like to know more details like:
>
> 1) Proposed solution required openSSL patch for changing the TLS server
> state machine. Is the patched OpenSSL code available for reference ?

Yes. See

http://openssl.6102.n7.nabble.com/PATCH-OpenSSL-1-0-2-making-it-possible-to-do-async-session-lookup-during-session-resumption-td62027.html

>
> 2) When is Openresty going to make a release with shared session
> implementation. I could not get the ssl-session-by-lua branch.
>

We'll opensource the ssl-session-by-lua branch of ngx_lua very soon.
But it will take some time to get the branch actually merged into an
OpenResty release.

> 3) Is there any sample lua code and configuration available to try out the
> shared session setup using openresty ?
>

Just wrote down a quick nginx.conf snippet to demonstrate the idea
(this snippet is untested though):

server {
listen 443 ssl;

ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;

lua_shared_dict ssl_sessions 800m;

ssl_session_fetch_by_lua_block {
local ngx_ssl_session = require "ngx.ssl.session"

local key, err = ngx_ssl_session.get_session_id()
if not key then
ngx.log(ngx.ERR, "failed to get SSL session ID: ", key)
return
end

-- fetch the session from lua_shared_dict via the key,
-- if missing, fetch the session from memcached via
-- the lua-resty-memcached library.

local shm_store = ngx.shared.ssl_sessions

local session = shm_store:get(key)
if not session then
-- here we assume the user has implemented the
-- my_fetch_from_memcached() Lua function below.
session = my_fetch_from_memcached(key)
end

if session then
-- being a cache hit
local ok, err =
ngx_ssl_session.set_serialized_ssl_session(session)
if not ok then
ngx.log(ngx.ERR, "failed to set cached SSL session: ", err)
return
end
end
}

ssl_session_store_by_lua_block {
local ngx_ssl_session = require "ngx.ssl.session"

local session, err = ngx_ssl_session.get_serialized_ssl_session()
if err then
ngx.log(ngx.ERR, "failed to retrieve new SSL session: ", err)
return
end

local key, err = ngx_ssl_session.get_session_id()
if not key then
ngx.log(ngx.ERR, "failed to get SSL session ID: ", key)
return
end

-- store the SSL session to shm:

local shm_store = ngx.shared.ssl_sessions

local ok, err = shm_store:set(key, session)
if not ok then
ngx.log(ngx.ERR, "failed to set SSL session to shm: ", err)
end

-- store the SSL session to memcached asynchronously

-- for production, we should avoid dynamic closure creation like
-- below though.
local function async_store_handler(premature, key, session, ttl)
local ok, err = my_store_to_memcached(key, session, ttl)
if not ok then
ngx.log(ngx.ERR, "failed to store the SSL session to ",
"memcached: ", err)
return
end
end

local ttl = 30000 -- 30 sec
local ok, err = ngx.timer.at(0, async_store_handler, key,
session, ttl)
if not ok then
ngx.log(ngx.ERR, "failed to create a 0-delay timer: ", err)
return
end
}
}

Regards,
-agentzh

sreekanthskm

Hi,

I would like to test distributed ssl session caching using OpenResty and patched OpenSSL for complete asynchronous model.

I have few questions regarding Openresty:

1) Which all modules in Openresty needs to be used for this distributed ssl session caching flow ?

2) Does Openresty-1.9.7.3 release contains all required modules ? which module registers the call backs to openssl ?

Any pointers would be appreciated.

-Sreekanth

On Monday, January 11, 2016 at 11:26:37 PM UTC+5:30, agentzh wrote:

Hello!

On Sun, Jan 10, 2016 at 11:05 PM, sreekanth Madhavan wrote:
> I am working on distributed session caching using SSL session ID for nginx
> cluster deployment. I came across openresty presentation regarding the
> implementation details and would like to know more details like:
>
> 1) Proposed solution required openSSL patch for changing the TLS server
> state machine. Is the patched OpenSSL code available for reference ?

Yes. See

http://openssl.6102.n7.nabble.com/PATCH-OpenSSL-1-0-2-making-it-possible-to-do-async-session-lookup-during-session-resumption-td62027.html

>
> 2) When is Openresty going to make a release with shared session
> implementation. I could not get the ssl-session-by-lua branch.
>

We'll opensource the ssl-session-by-lua branch of ngx_lua very soon.
But it will take some time to get the branch actually merged into an
OpenResty release.

> 3) Is there any sample lua code and configuration available to try out the
> shared session setup using openresty ?
>

Just wrote down a quick nginx.conf snippet to demonstrate the idea
(this snippet is untested though):

server {
listen 443 ssl;

ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;

lua_shared_dict ssl_sessions 800m;

ssl_session_fetch_by_lua_block {
local ngx_ssl_session = require "ngx.ssl.session"

local key, err = ngx_ssl_session.get_session_id()
if not key then
ngx.log(ngx.ERR, "failed to get SSL session ID: ", key)
return
end

-- fetch the session from lua_shared_dict via the key,
-- if missing, fetch the session from memcached via
-- the lua-resty-memcached library.

local shm_store = ngx.shared.ssl_sessions

local session = shm_store:get(key)
if not session then
-- here we assume the user has implemented the
-- my_fetch_from_memcached() Lua function below.
session = my_fetch_from_memcached(key)
end

if session then
-- being a cache hit
local ok, err =
ngx_ssl_session.set_serialized_ssl_session(session)
if not ok then
ngx.log(ngx.ERR, "failed to set cached SSL session: ", err)
return
end
end
}

ssl_session_store_by_lua_block {
local ngx_ssl_session = require "ngx.ssl.session"

local session, err = ngx_ssl_session.get_serialized_ssl_session()
if err then
ngx.log(ngx.ERR, "failed to retrieve new SSL session: ", err)
return
end

local key, err = ngx_ssl_session.get_session_id()
if not key then
ngx.log(ngx.ERR, "failed to get SSL session ID: ", key)
return
end

-- store the SSL session to shm:

local shm_store = ngx.shared.ssl_sessions

local ok, err = shm_store:set(key, session)
if not ok then
ngx.log(ngx.ERR, "failed to set SSL session to shm: ", err)
end

-- store the SSL session to memcached asynchronously

-- for production, we should avoid dynamic closure creation like
-- below though.
local function async_store_handler(premature, key, session, ttl)
local ok, err = my_store_to_memcached(key, session, ttl)
if not ok then
ngx.log(ngx.ERR, "failed to store the SSL session to ",
"memcached: ", err)
return
end
end

local ttl = 30000 -- 30 sec
local ok, err = ngx.timer.at(0, async_store_handler, key,
session, ttl)
if not ok then
ngx.log(ngx.ERR, "failed to create a 0-delay timer: ", err)
return
end
}
}

Regards,
-agentzh

agentzh

Hello!

On Thu, Mar 17, 2016 at 8:35 AM, sreekanth Madhavan wrote:
> I would like to test distributed ssl session caching using OpenResty and
> patched OpenSSL for complete asynchronous model.
>
> I have few questions regarding Openresty:
>
> 1) Which all modules in Openresty needs to be used for this distributed ssl
> session caching flow ?
>

It requires the ssl_session_fetch_by_lua* and
ssl_session_store_by_lua* directives in ngx_lua. This new feature is
still to be opensourced. Hopefully in the next month or so.

> 2) Does Openresty-1.9.7.3 release contains all required modules ? which
> module registers the call backs to openssl ?
>

Nope.

Regards,
-agentzh

synologic

Hi,

any news on open-sourcing this ?

Regards,

Viorel

On Thursday, March 24, 2016 at 8:43:25 PM UTC+1, agentzh wrote:

Hello!

On Thu, Mar 17, 2016 at 8:35 AM, sreekanth Madhavan wrote:
> I would like to test distributed ssl session caching using OpenResty and
> patched OpenSSL for complete asynchronous model.
>
> I have few questions regarding Openresty:
>
> 1) Which all modules in Openresty needs to be used for this distributed ssl
> session caching flow ?
>

It requires the ssl_session_fetch_by_lua* and
ssl_session_store_by_lua* directives in ngx_lua. This new feature is
still to be opensourced. Hopefully in the next month or so.

> 2) Does Openresty-1.9.7.3 release contains all required modules ? which
> module registers the call backs to openssl ?
>

Nope.

Regards,
-agentzh

agentzh

Hello!

On Thu, Nov 9, 2017 at 10:55 AM, Viorel Dehelean wrote:
> any news on open-sourcing this ?
>

The ssl_session_fetch_by_lua* and ssl_session_store_by_lua* directives
were already open sourced more than a year ago. Read the official
documentation.

Regards,
Yichun