Add small client TLS PSK cache (#14039)

This commit is contained in:
Klaus Post 2022-01-06 11:34:02 -08:00 committed by GitHub
parent 0d3ae3810f
commit 3d66d053c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 20 additions and 10 deletions

View File

@ -118,6 +118,9 @@ const (
// diskMinInodes is the minimum number of inodes we want free on a disk to perform writes. // diskMinInodes is the minimum number of inodes we want free on a disk to perform writes.
diskMinInodes = 1000 diskMinInodes = 1000
// tlsClientSessionCacheSize is the cache size for client sessions.
tlsClientSessionCacheSize = 100
) )
var globalCLIContext = struct { var globalCLIContext = struct {

View File

@ -181,15 +181,17 @@ func serverHandleCmdArgs(ctx *cli.Context) {
// allow transport to be HTTP/1.1 for proxying. // allow transport to be HTTP/1.1 for proxying.
globalProxyTransport = newCustomHTTPProxyTransport(&tls.Config{ globalProxyTransport = newCustomHTTPProxyTransport(&tls.Config{
RootCAs: globalRootCAs, RootCAs: globalRootCAs,
CipherSuites: fips.CipherSuitesTLS(), CipherSuites: fips.CipherSuitesTLS(),
CurvePreferences: fips.EllipticCurvesTLS(), CurvePreferences: fips.EllipticCurvesTLS(),
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, rest.DefaultTimeout)() }, rest.DefaultTimeout)()
globalProxyEndpoints = GetProxyEndpoints(globalEndpoints) globalProxyEndpoints = GetProxyEndpoints(globalEndpoints)
globalInternodeTransport = newInternodeHTTPTransport(&tls.Config{ globalInternodeTransport = newInternodeHTTPTransport(&tls.Config{
RootCAs: globalRootCAs, RootCAs: globalRootCAs,
CipherSuites: fips.CipherSuitesTLS(), CipherSuites: fips.CipherSuitesTLS(),
CurvePreferences: fips.EllipticCurvesTLS(), CurvePreferences: fips.EllipticCurvesTLS(),
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, rest.DefaultTimeout)() }, rest.DefaultTimeout)()
// On macOS, if a process already listens on LOCALIPADDR:PORT, net.Listen() falls back // On macOS, if a process already listens on LOCALIPADDR:PORT, net.Listen() falls back

View File

@ -1642,7 +1642,8 @@ func newRemoteClusterHTTPTransport() *http.Transport {
tr := &http.Transport{ tr := &http.Transport{
Proxy: http.ProxyFromEnvironment, Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{
RootCAs: globalRootCAs, RootCAs: globalRootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, },
} }
return tr return tr

View File

@ -417,7 +417,8 @@ func getUpdateTransport(timeout time.Duration) http.RoundTripper {
TLSHandshakeTimeout: timeout, TLSHandshakeTimeout: timeout,
ExpectContinueTimeout: timeout, ExpectContinueTimeout: timeout,
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{
RootCAs: globalRootCAs, RootCAs: globalRootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, },
DisableCompression: true, DisableCompression: true,
} }

View File

@ -613,7 +613,8 @@ func NewGatewayHTTPTransport() *http.Transport {
func newGatewayHTTPTransport(timeout time.Duration) *http.Transport { func newGatewayHTTPTransport(timeout time.Duration) *http.Transport {
tr := newCustomHTTPTransport(&tls.Config{ tr := newCustomHTTPTransport(&tls.Config{
RootCAs: globalRootCAs, RootCAs: globalRootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, defaultDialTimeout)() }, defaultDialTimeout)()
// Customize response header timeout for gateway transport. // Customize response header timeout for gateway transport.
@ -639,7 +640,8 @@ func NewRemoteTargetHTTPTransport() *http.Transport {
TLSHandshakeTimeout: 5 * time.Second, TLSHandshakeTimeout: 5 * time.Second,
ExpectContinueTimeout: 5 * time.Second, ExpectContinueTimeout: 5 * time.Second,
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{
RootCAs: globalRootCAs, RootCAs: globalRootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, },
// Go net/http automatically unzip if content-type is // Go net/http automatically unzip if content-type is
// gzip disable this feature, as we are always interested // gzip disable this feature, as we are always interested
@ -1135,6 +1137,7 @@ func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config {
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
NextProtos: []string{"http/1.1", "h2"}, NextProtos: []string{"http/1.1", "h2"},
GetCertificate: getCert, GetCertificate: getCert,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
} }
tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn