diff options
| author | Ryan Steinmetz <zi@FreeBSD.org> | 2021-05-20 12:39:46 -0400 |
|---|---|---|
| committer | Ryan Steinmetz <zi@FreeBSD.org> | 2021-05-20 12:39:46 -0400 |
| commit | cc298297bc51e03451dd181bfdda69ae1e39f5b9 (patch) | |
| tree | 5820efc195ce329d83f71a48297796d2355a994b /www/nginx | |
| parent | security/duo_openvpn: Pass script pass in less silly way, add support to forc... (diff) | |
www/nginx: Undo previous commit
Diffstat (limited to 'www/nginx')
| -rw-r--r-- | www/nginx/Makefile.extmod | 2 | ||||
| -rw-r--r-- | www/nginx/files/extra-patch-dynamic-tls | 225 |
2 files changed, 0 insertions, 227 deletions
diff --git a/www/nginx/Makefile.extmod b/www/nginx/Makefile.extmod index daaac6da544f..bf4bb53f8659 100644 --- a/www/nginx/Makefile.extmod +++ b/www/nginx/Makefile.extmod @@ -35,8 +35,6 @@ DRIZZLE_GH_TUPLE= openresty:drizzle-nginx-module:v0.1.11:drizzle DRIZZLE_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-openresty-drizzle-nginx-module-config DRIZZLE_VARS= DSO_EXTMODS+=drizzle -DYNAMIC_TLS_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-dynamic-tls - DYNAMIC_UPSTREAM_GH_TUPLE= ZigzagAK:ngx_dynamic_upstream:960eef2:dynamic_upstream DYNAMIC_UPSTREAM_VARS= DSO_EXTMODS+=dynamic_upstream diff --git a/www/nginx/files/extra-patch-dynamic-tls b/www/nginx/files/extra-patch-dynamic-tls deleted file mode 100644 index 86b617a55750..000000000000 --- a/www/nginx/files/extra-patch-dynamic-tls +++ /dev/null @@ -1,225 +0,0 @@ ---- src/event/ngx_event_openssl.c.orig 2021-04-20 13:35:47 UTC -+++ src/event/ngx_event_openssl.c -@@ -1616,6 +1616,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl - - sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); - sc->buffer_size = ssl->buffer_size; -+ sc->dyn_rec = ssl->dyn_rec; - - sc->session_ctx = ssl->ctx; - -@@ -2555,6 +2556,41 @@ ngx_ssl_send_chain(ngx_connection_t *c, - - for ( ;; ) { - -+ /* Dynamic record resizing: -+ We want the initial records to fit into one TCP segment -+ so we don't get TCP HoL blocking due to TCP Slow Start. -+ A connection always starts with small records, but after -+ a given amount of records sent, we make the records larger -+ to reduce header overhead. -+ After a connection has idled for a given timeout, begin -+ the process from the start. The actual parameters are -+ configurable. If dyn_rec_timeout is 0, we assume dyn_rec is off. */ -+ -+ if (c->ssl->dyn_rec.timeout > 0 ) { -+ -+ if (ngx_current_msec - c->ssl->dyn_rec_last_write > -+ c->ssl->dyn_rec.timeout) -+ { -+ buf->end = buf->start + c->ssl->dyn_rec.size_lo; -+ c->ssl->dyn_rec_records_sent = 0; -+ -+ } else { -+ if (c->ssl->dyn_rec_records_sent > -+ c->ssl->dyn_rec.threshold * 2) -+ { -+ buf->end = buf->start + c->ssl->buffer_size; -+ -+ } else if (c->ssl->dyn_rec_records_sent > -+ c->ssl->dyn_rec.threshold) -+ { -+ buf->end = buf->start + c->ssl->dyn_rec.size_hi; -+ -+ } else { -+ buf->end = buf->start + c->ssl->dyn_rec.size_lo; -+ } -+ } -+ } -+ - while (in && buf->last < buf->end && send < limit) { - if (in->buf->last_buf || in->buf->flush) { - flush = 1; -@@ -2662,6 +2698,9 @@ ngx_ssl_write(ngx_connection_t *c, u_cha - - if (n > 0) { - -+ c->ssl->dyn_rec_records_sent++; -+ c->ssl->dyn_rec_last_write = ngx_current_msec; -+ - if (c->ssl->saved_read_handler) { - - c->read->handler = c->ssl->saved_read_handler; ---- src/event/ngx_event_openssl.h.orig 2021-04-20 13:35:47 UTC -+++ src/event/ngx_event_openssl.h -@@ -66,11 +66,19 @@ - - typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t; - -+typedef struct { -+ ngx_msec_t timeout; -+ ngx_uint_t threshold; -+ size_t size_lo; -+ size_t size_hi; -+} ngx_ssl_dyn_rec_t; -+ - - struct ngx_ssl_s { - SSL_CTX *ctx; - ngx_log_t *log; - size_t buffer_size; -+ ngx_ssl_dyn_rec_t dyn_rec; - }; - - -@@ -106,6 +114,10 @@ struct ngx_ssl_connection_s { - unsigned in_ocsp:1; - unsigned early_preread:1; - unsigned write_blocked:1; -+ -+ ngx_ssl_dyn_rec_t dyn_rec; -+ ngx_msec_t dyn_rec_last_write; -+ ngx_uint_t dyn_rec_records_sent; - }; - - -@@ -115,7 +127,7 @@ struct ngx_ssl_connection_s { - #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 - - --#define NGX_SSL_MAX_SESSION_SIZE 4096 -+#define NGX_SSL_MAX_SESSION_SIZE 16384 - - typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; - ---- src/http/modules/ngx_http_ssl_module.c.orig 2021-04-20 13:35:47 UTC -+++ src/http/modules/ngx_http_ssl_module.c -@@ -301,6 +301,41 @@ static ngx_command_t ngx_http_ssl_comma - offsetof(ngx_http_ssl_srv_conf_t, reject_handshake), - NULL }, - -+ { ngx_string("ssl_dyn_rec_enable"), -+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, -+ ngx_conf_set_flag_slot, -+ NGX_HTTP_SRV_CONF_OFFSET, -+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_enable), -+ NULL }, -+ -+ { ngx_string("ssl_dyn_rec_timeout"), -+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, -+ ngx_conf_set_msec_slot, -+ NGX_HTTP_SRV_CONF_OFFSET, -+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_timeout), -+ NULL }, -+ -+ { ngx_string("ssl_dyn_rec_size_lo"), -+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, -+ ngx_conf_set_size_slot, -+ NGX_HTTP_SRV_CONF_OFFSET, -+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_lo), -+ NULL }, -+ -+ { ngx_string("ssl_dyn_rec_size_hi"), -+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, -+ ngx_conf_set_size_slot, -+ NGX_HTTP_SRV_CONF_OFFSET, -+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_hi), -+ NULL }, -+ -+ { ngx_string("ssl_dyn_rec_threshold"), -+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, -+ ngx_conf_set_num_slot, -+ NGX_HTTP_SRV_CONF_OFFSET, -+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_threshold), -+ NULL }, -+ - ngx_null_command - }; - -@@ -637,6 +672,11 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t - sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR; - sscf->stapling = NGX_CONF_UNSET; - sscf->stapling_verify = NGX_CONF_UNSET; -+ sscf->dyn_rec_enable = NGX_CONF_UNSET; -+ sscf->dyn_rec_timeout = NGX_CONF_UNSET_MSEC; -+ sscf->dyn_rec_size_lo = NGX_CONF_UNSET_SIZE; -+ sscf->dyn_rec_size_hi = NGX_CONF_UNSET_SIZE; -+ sscf->dyn_rec_threshold = NGX_CONF_UNSET_UINT; - - return sscf; - } -@@ -712,6 +752,20 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * - ngx_conf_merge_str_value(conf->stapling_responder, - prev->stapling_responder, ""); - -+ ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0); -+ ngx_conf_merge_msec_value(conf->dyn_rec_timeout, prev->dyn_rec_timeout, -+ 1000); -+ /* Default sizes for the dynamic record sizes are defined to fit maximal -+ TLS + IPv6 overhead in a single TCP segment for lo and 3 segments for hi: -+ 1369 = 1500 - 40 (IP) - 20 (TCP) - 10 (Time) - 61 (Max TLS overhead) */ -+ ngx_conf_merge_size_value(conf->dyn_rec_size_lo, prev->dyn_rec_size_lo, -+ 1369); -+ /* 4229 = (1500 - 40 - 20 - 10) * 3 - 61 */ -+ ngx_conf_merge_size_value(conf->dyn_rec_size_hi, prev->dyn_rec_size_hi, -+ 4229); -+ ngx_conf_merge_uint_value(conf->dyn_rec_threshold, prev->dyn_rec_threshold, -+ 40); -+ - conf->ssl.log = cf->log; - - if (conf->enable) { -@@ -943,6 +997,28 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * - return NGX_CONF_ERROR; - } - -+ if (conf->dyn_rec_enable) { -+ conf->ssl.dyn_rec.timeout = conf->dyn_rec_timeout; -+ conf->ssl.dyn_rec.threshold = conf->dyn_rec_threshold; -+ -+ if (conf->buffer_size > conf->dyn_rec_size_lo) { -+ conf->ssl.dyn_rec.size_lo = conf->dyn_rec_size_lo; -+ -+ } else { -+ conf->ssl.dyn_rec.size_lo = conf->buffer_size; -+ } -+ -+ if (conf->buffer_size > conf->dyn_rec_size_hi) { -+ conf->ssl.dyn_rec.size_hi = conf->dyn_rec_size_hi; -+ -+ } else { -+ conf->ssl.dyn_rec.size_hi = conf->buffer_size; -+ } -+ -+ } else { -+ conf->ssl.dyn_rec.timeout = 0; -+ } -+ - return NGX_CONF_OK; - } - ---- src/http/modules/ngx_http_ssl_module.h.orig 2021-04-20 13:35:47 UTC -+++ src/http/modules/ngx_http_ssl_module.h -@@ -67,6 +67,12 @@ typedef struct { - - u_char *file; - ngx_uint_t line; -+ -+ ngx_flag_t dyn_rec_enable; -+ ngx_msec_t dyn_rec_timeout; -+ size_t dyn_rec_size_lo; -+ size_t dyn_rec_size_hi; -+ ngx_uint_t dyn_rec_threshold; - } ngx_http_ssl_srv_conf_t; - - |