lub
/
mailu
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

Merge #2605

Browse Source 
2605: Reduce the SSL session caches from 50m each to 3m each r=nextgens a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Reduce the SSL session caches from 50m each to 3m each. This should be good for 12k sessions (within 1day, see http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache and our ssl_session_timeout) for each cache and will help reduce memory usage.

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
main
bors[bot] 2 years ago committed by GitHub
parent c729954b4a cd107182c1
commit 874e58348f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File

4
core/nginx/conf/nginx.conf
Unescape Escape View File

@ -100,7 +100,7 @@ http {
include /etc/nginx/tls.conf; include /etc/nginx/tls.conf;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_session_cache shared:SSLHTTP:50m; ssl_session_cache shared:SSLHTTP:3m;
add_header Strict-Transport-Security 'max-age=31536000'; add_header Strict-Transport-Security 'max-age=31536000';
{% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %} {% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %}
@ -284,7 +284,7 @@ mail {
{% if TLS and not TLS_ERROR %} {% if TLS and not TLS_ERROR %}
include /etc/nginx/tls.conf; include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLMAIL:50m; ssl_session_cache shared:SSLMAIL:3m;
{% endif %} {% endif %}
# Advertise real capabilities of backends (postfix/dovecot) # Advertise real capabilities of backends (postfix/dovecot)

2
core/nginx/conf/tls.conf
Unescape Escape View File

@ -6,7 +6,7 @@ ssl_certificate_key {{ TLS[3] }};
ssl_trusted_certificate /etc/ssl/certs/ca-cert-ISRG_Root_X1.pem; ssl_trusted_certificate /etc/ssl/certs/ca-cert-ISRG_Root_X1.pem;
{% endif %} {% endif %}
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_tickets off; ssl_session_tickets off; # this can be removed when we have nginx v1.23.2
ssl_dhparam /conf/dhparam.pem; ssl_dhparam /conf/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

1
towncrier/newsfragments/2605.misc
Unescape Escape View File

@ -0,0 +1 @@
Reduce the SSL session caches from 50m each to 3m each. This should be good for 12k sessions (within 1day) for each cache and will help reduce memory usage.
Write Preview
Loading…
Cancel
Save