On Sat, 13 Jan 2001, Ralf S. Engelschall wrote:
> On Fri, Jan 12, 2001, Doremus, Matthew wrote:
>
> > I have been looking through the mod_ssl v7.2.1 SHMHT code and it appears
> > that each server creates it's own hash table in the allocated shared memory.
> > Does this imply that when using SHMHT servers only retrieve sessions that
> > they themselves have stored ?
>
> No, the hash table is shared over all server processes, because the
> underlaying memory allocator is shared memory based. This means that all
> server processes can store sessions and every other can reuse it.
It looks like the question was more about different server machines rather
than different server child processes (for which Ralf's answer applied).
The answer in short is yes, a shared memory session cache is going to
necessarily be per-machine (unless you've got some shared-memory support
working in some sort of clustering environment in which case you clearly
already know what you're doing :-).
There are developments underway to provide more reliable distributed
shared memory session caching - but a warning about trying to find an
easier way out: just switching to "dbm" and sharing a single cache file
over NFS or some such thing is likely to create you a lot more headaches
than it will save you in performance (I'd take a hunch here and say that
most configurations would actually slow down in such a situation if in
fact they work at all without lots of file corruption).
BTW: This is why most load-balancers on the market today that support
SSL/https have some varying levels of "SSL-stickiness" - a technique in
which the balancer attempts to route SSL connections (either by fuzzy
judgements or by examining the traffic for session resume messages) to the
server that negotiated the session the client wants to resume. This, by
implication, does lose some of the freedoms you want in a truly
load-balanced environment but for now there's not much you can do about
that (by definition, a load-balancer should route requests based on server
loads, *not* based on which server has which SSL session).
There's a paper out by a couple of hopeless dunces (that should be updated
at some stage) that none-the-less says one or two vaguely interesting
things on this subject in amongst all the sad wreckage that remains, you
can find it at;
http://www.geoffthorpe.net/apcon2000/
or
http://www.awe.com/mark/apcon2000/
:-)
Cheers,
Geoff
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
