Opened 5 years ago

#1809 new enhancement

Allow stream with `ssl_preread on` to forward to http without leaving nginx

Reported by: ben.lubar@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.15.x
Keywords: Cc:
uname -a: Linux urist.lubar.me 5.0.0-20-generic #21-Ubuntu SMP Mon Jun 24 09:32:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.15.9 (Ubuntu)
built with OpenSSL 1.1.1b 26 Feb 2019
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-o86Ds8/nginx-1.15.9=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-headers-more-filter --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-cache-purge --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-ndk --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-echo --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-fancyindex --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/nchan --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-lua --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/rtmp --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-uploadprogress --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-o86Ds8/nginx-1.15.9/debian/modules/http-subs-filter

Description

Currently, having multiple services on the same port that depend on ALPN means that every incoming connection creates another internal TCP connection, which means sockets get used up faster than they need to and every packet gets sent a second time through the kernel.

Instead, if nginx could transfer ownership of the socket from the stream module to the http module without proxying, this would speed up this use case and reduce its resource usage.

Change History (0)

Note: See TracTickets for help on using tickets.