nic-6443 commented on code in PR #13062:
URL: https://github.com/apache/apisix/pull/13062#discussion_r3393122437
##########
apisix/init.lua:
##########
@@ -552,9 +552,22 @@ function _M.handle_upstream(api_ctx, route,
enable_websocket)
return ngx_exit(1)
end
+ local new_upstream_ssl = apisix_secret.fetch_secrets(upstream_ssl,
true)
Review Comment:
`fetch_secrets()` does a `core.table.deepcopy` of the whole SSL object on
every request through this path, even when the config contains no secret refs
at all — the `true` arg only caches the individual URI lookups (`secrets_cache`
in `apisix/secret.lua` is keyed by URI), it doesn't avoid the per-request copy.
Unlike the SNI path in `radixtree_sni.lua` which runs per handshake, this runs
for every proxied request to an upstream with `tls.client_cert_id`.
How about guarding it with `secret.has_secret_ref(upstream_ssl)` (added in
#13312, available once you merge master)? That keeps the zero-copy assignment
for the common case where the SSL object holds plain cert/key.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
