[squid-dev] [PATCH] Collapse security_file_certgen requests.
Christos Tsantilas
christos at chtsanti.net
Mon Jun 12 16:06:30 UTC 2017
Στις 10/06/2017 03:32 μμ, ο Amos Jeffries έγραψε:
> On 09/06/17 02:52, Christos Tsantilas wrote:
>>
>> Concurrent identical same-worker security_file_certgen (a.k.a.
>> ssl_crtd) requests are collapsed: The first such request goes through
>> to one of the helpers while others wait for that first request to
>> complete, successfully or otherwise. This optimization helps dealing
>> with flash crowds that suddenly send a large number of HTTPS requests
>> to a small group of origin servers.
>>
>> Two certificate generation requests are considered identical if their
>> on-the-wire images are identical. This simple and fast approach covers
>> all certificate generation parameters, including all mimicked
>> certificate properties, and avoids hash collisions and poisoning.
>> Compared to collision- or poisoning-sensitive approaches that store
>> raw certificates and compare their signatures or fingerprints, storing
>> helper queries costs a few extra KB per pending helper request. That
>> extra RAM cost is worth the advantages and will be eliminated when
>> helper code switches from c-strings to SBufs.
>
>
> Thank you. +1 from me.
The patch applied as is to squid-5 as r15190.
>
> +1. Though I would prefer if these lines doing C-style member
> initialization could be done by the GeneratorRequest constructor instead.
>
> + GeneratorRequest *request = new GeneratorRequest;
> + request->query = rawMessage;
> + request->emplace(callback, data);
>
>
> Amos
>
More information about the squid-dev
mailing list