mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Add small client TLS PSK cache (#14039)
This commit is contained in:
parent
0d3ae3810f
commit
3d66d053c7
@ -118,6 +118,9 @@ const (
|
|||||||
|
|
||||||
// diskMinInodes is the minimum number of inodes we want free on a disk to perform writes.
|
// diskMinInodes is the minimum number of inodes we want free on a disk to perform writes.
|
||||||
diskMinInodes = 1000
|
diskMinInodes = 1000
|
||||||
|
|
||||||
|
// tlsClientSessionCacheSize is the cache size for client sessions.
|
||||||
|
tlsClientSessionCacheSize = 100
|
||||||
)
|
)
|
||||||
|
|
||||||
var globalCLIContext = struct {
|
var globalCLIContext = struct {
|
||||||
|
@ -181,15 +181,17 @@ func serverHandleCmdArgs(ctx *cli.Context) {
|
|||||||
|
|
||||||
// allow transport to be HTTP/1.1 for proxying.
|
// allow transport to be HTTP/1.1 for proxying.
|
||||||
globalProxyTransport = newCustomHTTPProxyTransport(&tls.Config{
|
globalProxyTransport = newCustomHTTPProxyTransport(&tls.Config{
|
||||||
RootCAs: globalRootCAs,
|
RootCAs: globalRootCAs,
|
||||||
CipherSuites: fips.CipherSuitesTLS(),
|
CipherSuites: fips.CipherSuitesTLS(),
|
||||||
CurvePreferences: fips.EllipticCurvesTLS(),
|
CurvePreferences: fips.EllipticCurvesTLS(),
|
||||||
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
}, rest.DefaultTimeout)()
|
}, rest.DefaultTimeout)()
|
||||||
globalProxyEndpoints = GetProxyEndpoints(globalEndpoints)
|
globalProxyEndpoints = GetProxyEndpoints(globalEndpoints)
|
||||||
globalInternodeTransport = newInternodeHTTPTransport(&tls.Config{
|
globalInternodeTransport = newInternodeHTTPTransport(&tls.Config{
|
||||||
RootCAs: globalRootCAs,
|
RootCAs: globalRootCAs,
|
||||||
CipherSuites: fips.CipherSuitesTLS(),
|
CipherSuites: fips.CipherSuitesTLS(),
|
||||||
CurvePreferences: fips.EllipticCurvesTLS(),
|
CurvePreferences: fips.EllipticCurvesTLS(),
|
||||||
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
}, rest.DefaultTimeout)()
|
}, rest.DefaultTimeout)()
|
||||||
|
|
||||||
// On macOS, if a process already listens on LOCALIPADDR:PORT, net.Listen() falls back
|
// On macOS, if a process already listens on LOCALIPADDR:PORT, net.Listen() falls back
|
||||||
|
@ -1642,7 +1642,8 @@ func newRemoteClusterHTTPTransport() *http.Transport {
|
|||||||
tr := &http.Transport{
|
tr := &http.Transport{
|
||||||
Proxy: http.ProxyFromEnvironment,
|
Proxy: http.ProxyFromEnvironment,
|
||||||
TLSClientConfig: &tls.Config{
|
TLSClientConfig: &tls.Config{
|
||||||
RootCAs: globalRootCAs,
|
RootCAs: globalRootCAs,
|
||||||
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
return tr
|
return tr
|
||||||
|
@ -417,7 +417,8 @@ func getUpdateTransport(timeout time.Duration) http.RoundTripper {
|
|||||||
TLSHandshakeTimeout: timeout,
|
TLSHandshakeTimeout: timeout,
|
||||||
ExpectContinueTimeout: timeout,
|
ExpectContinueTimeout: timeout,
|
||||||
TLSClientConfig: &tls.Config{
|
TLSClientConfig: &tls.Config{
|
||||||
RootCAs: globalRootCAs,
|
RootCAs: globalRootCAs,
|
||||||
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
},
|
},
|
||||||
DisableCompression: true,
|
DisableCompression: true,
|
||||||
}
|
}
|
||||||
|
@ -613,7 +613,8 @@ func NewGatewayHTTPTransport() *http.Transport {
|
|||||||
|
|
||||||
func newGatewayHTTPTransport(timeout time.Duration) *http.Transport {
|
func newGatewayHTTPTransport(timeout time.Duration) *http.Transport {
|
||||||
tr := newCustomHTTPTransport(&tls.Config{
|
tr := newCustomHTTPTransport(&tls.Config{
|
||||||
RootCAs: globalRootCAs,
|
RootCAs: globalRootCAs,
|
||||||
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
}, defaultDialTimeout)()
|
}, defaultDialTimeout)()
|
||||||
|
|
||||||
// Customize response header timeout for gateway transport.
|
// Customize response header timeout for gateway transport.
|
||||||
@ -639,7 +640,8 @@ func NewRemoteTargetHTTPTransport() *http.Transport {
|
|||||||
TLSHandshakeTimeout: 5 * time.Second,
|
TLSHandshakeTimeout: 5 * time.Second,
|
||||||
ExpectContinueTimeout: 5 * time.Second,
|
ExpectContinueTimeout: 5 * time.Second,
|
||||||
TLSClientConfig: &tls.Config{
|
TLSClientConfig: &tls.Config{
|
||||||
RootCAs: globalRootCAs,
|
RootCAs: globalRootCAs,
|
||||||
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
},
|
},
|
||||||
// Go net/http automatically unzip if content-type is
|
// Go net/http automatically unzip if content-type is
|
||||||
// gzip disable this feature, as we are always interested
|
// gzip disable this feature, as we are always interested
|
||||||
@ -1135,6 +1137,7 @@ func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config {
|
|||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
NextProtos: []string{"http/1.1", "h2"},
|
NextProtos: []string{"http/1.1", "h2"},
|
||||||
GetCertificate: getCert,
|
GetCertificate: getCert,
|
||||||
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn
|
tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn
|
||||||
|
Loading…
Reference in New Issue
Block a user