From: William Dauchy <wdauchy@gmail.com>
Date: Fri, 12 Feb 2021 14:58:46 +0000 (+0100)
Subject: DOC: tune: explain the origin of block size for ssl.cachesize
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=545c08a3b247b8adfa77250eb277cc431bff9ddc;p=haproxy-2.1.git

DOC: tune: explain the origin of block size for ssl.cachesize

A user could eventually ask himself where those 200 bytes block size are
coming from. This patch tries to better explain the origin in case
people are curious or want to double check the reality.

Signed-off-by: William Dauchy <wdauchy@gmail.com>
(cherry picked from commit 9a4bbfe151b8db72ef4f353b5a1c5e1d60b20646)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit dede64a73977ac306c4e73fa347571826d0164c8)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 94eca95c52ffee8c345da49c44c92f37366f4f2a)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index f97bb18..b754533 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1955,16 +1955,17 @@ tune.sndbuf.server <number>
 
 tune.ssl.cachesize <number>
   Sets the size of the global SSL session cache, in a number of blocks. A block
-  is large enough to contain an encoded session without peer certificate.
-  An encoded session with peer certificate is stored in multiple blocks
-  depending on the size of the peer certificate. A block uses approximately
-  200 bytes of memory. The default value may be forced at build time, otherwise
-  defaults to 20000. When the cache is full, the most idle entries are purged
-  and reassigned. Higher values reduce the occurrence of such a purge, hence
-  the number of CPU-intensive SSL handshakes by ensuring that all users keep
-  their session as long as possible. All entries are pre-allocated upon startup
-  and are shared between all processes if "nbproc" is greater than 1. Setting
-  this value to 0 disables the SSL session cache.
+  is large enough to contain an encoded session without peer certificate.  An
+  encoded session with peer certificate is stored in multiple blocks depending
+  on the size of the peer certificate. A block uses approximately 200 bytes of
+  memory (based on `sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE`
+  calculation used for `shctx_init` function). The default value may be forced
+  at build time, otherwise defaults to 20000. When the cache is full, the most
+  idle entries are purged and reassigned. Higher values reduce the occurrence
+  of such a purge, hence the number of CPU-intensive SSL handshakes by ensuring
+  that all users keep their session as long as possible. All entries are
+  pre-allocated upon startup and are shared between all processes if "nbproc"
+  is greater than 1. Setting this value to 0 disables the SSL session cache.
 
 tune.ssl.force-private-cache
   This option disables SSL session cache sharing between all processes. It