Hello!

On Tue, Jul 26, 2011 at 09:37:25PM +0200, Srebrenko Šehić wrote:

> On Fri, Jul 22, 2011 at 4:07 PM, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> > Upstream: fix memory leak with resolved peers and ssl.
> >
> > As round robin peers created with ngx_http_upstream_create_round_robin_peer()
> > are allocated from request pool saved ssl sessions leaked on request
> > destruction.  Since saving sessions is useless here anyway (each peer is only
> > used once) - fix this by not saving sessions at all.
>
> Is this only relevant for http -> https (where the backend protocol is
> SSL) or is this bug triggered as soon as you have SSL towards the
> backend?

This is triggered as long as you use https backend (original
protocol with client doesn't matter) and peer is dynamically
created (i.e. you use proxy_pass with variables, and resulting
hostname doesn't match existing upstream{} blocks).

That is, the following is safe:

proxy_pass https://backend;

but this will leak:

proxy_pass https://127.0.0.1$request_uri;

and require explicit

proxy_ssl_session_reuse off;

as a workaround (till upcoming 1.1.0, the patch was already
committed to trunk).

Maxim Dounin

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel