Fetch: optimized use of SSL contexts.

To ensure optimal use of memory, SSL contexts for ngx.fetch() are now inherited from previous levels as long as relevant js_fetch_* directives are not redefined.
nginx · Dec 4, 2024 · f2955c8 · f2955c8
1 parent b300a93
commit f2955c8
Showing 1 changed file with 51 additions and 5 deletions.
diff --git a/nginx/ngx_js.c b/nginx/ngx_js.c
@@ -3946,19 +3946,60 @@ ngx_js_create_conf(ngx_conf_t *cf, size_t size)
 
 #if defined(NGX_HTTP_SSL) || defined(NGX_STREAM_SSL)
 
+static ngx_int_t
+ngx_js_merge_ssl(ngx_conf_t *cf, ngx_js_loc_conf_t *conf,
+    ngx_js_loc_conf_t *prev)
+{
+    ngx_uint_t  preserve;
+
+    if (conf->ssl_protocols == 0
+        && conf->ssl_ciphers.data == NULL
+        && conf->ssl_verify == NGX_CONF_UNSET
+        && conf->ssl_verify_depth == NGX_CONF_UNSET
+        && conf->ssl_trusted_certificate.data == NULL)
+    {
+        if (prev->ssl) {
+            conf->ssl = prev->ssl;
+            return NGX_OK;
+        }
+
+        preserve = 1;
+
+    } else {
+        preserve = 0;
+    }
+
+    conf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
+    if (conf->ssl == NULL) {
+        return NGX_ERROR;
+    }
+
+    conf->ssl->log = cf->log;
+
+    /*
+     * special handling to preserve conf->ssl
+     * in the "http" section to inherit it to all servers
+     */
+
+    if (preserve) {
+        prev->ssl = conf->ssl;
+    }
+
+    return NGX_OK;
+}
+
+
 static char *
 ngx_js_set_ssl(ngx_conf_t *cf, ngx_js_loc_conf_t *conf)
 {
     ngx_ssl_t           *ssl;
     ngx_pool_cleanup_t  *cln;
 
-    ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
-    if (ssl == NULL) {
-        return NGX_CONF_ERROR;
+    if (conf->ssl->ctx) {
+        return NGX_OK;
     }
 
-    conf->ssl = ssl;
-    ssl->log = cf->log;
+    ssl = conf->ssl;
 
     if (ngx_ssl_create(ssl, conf->ssl_protocols, NULL) != NGX_OK) {
         return NGX_CONF_ERROR;
@@ -4013,6 +4054,11 @@ ngx_js_merge_conf(ngx_conf_t *cf, void *parent, void *child,
     }
 
 #if defined(NGX_HTTP_SSL) || defined(NGX_STREAM_SSL)
+
+    if (ngx_js_merge_ssl(cf, conf, prev) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
                              "DEFAULT");