Class: Hyperion::Config::TlsConfig

Inherits:

Object

Object
Hyperion::Config::TlsConfig

show all

Defined in:: lib/hyperion/config.rb

Overview

TLS subconfig. New in 1.8.0 (Phase 4 — TLS session resumption). ‘session_cache_size` controls the size of the in-process server- side session cache used to short-circuit the full handshake when a client returns with a previously-issued session id. The default of 20_480 is sized for ~16 MiB of cache memory at 800 B/session — well under the workload-default 128 MiB worker RSS cap.

‘ticket_key_rotation_signal` selects the OS signal that triggers a session-cache flush + ticket-key roll on the master. `:USR2` (default) is conventional for “rotate keys” signals (nginx uses SIGUSR2 for binary-upgrade, but here it’s the rotation event). Set to ‘:NONE` to disable rotation entirely (workloads that don’t care about ticket-key rotation security guarantees).

Constant Summary collapse

ATTRS =

%i[session_cache_size ticket_key_rotation_signal ktls handshake_rate_limit].freeze

DEFAULT_SESSION_CACHE_SIZE =

20_480

DEFAULT_ROTATION_SIGNAL =

:USR2

DEFAULT_KTLS = 2.2.0 (Phase 9): kernel TLS_TX policy. :auto — enable on Linux when supported, off elsewhere :on — force enable; raise at boot if unsupported :off — never enable, always use userspace SSL_write

:auto

DEFAULT_HANDSHAKE_RATE_LIMIT = 2.3-B: TLS handshake CPU throttle. Token-bucket budget for SSL_accept calls per second per worker. Defends direct-exposure operators against handshake storms (e.g., many short-lived TLS clients reconnecting at once during a deployment). For the nginx-fronted topology this is mostly defensive — nginx keeps long-lived upstream conns so handshake rate is normally near-zero. * Integer >= 1 — handshakes/sec/worker (capacity == rate). * :unlimited (default) — no limit; matches 2.2.0 behaviour.

:unlimited

Instance Method Summary collapse

#initialize ⇒ TlsConfig constructor

A new instance of TlsConfig.

Constructor Details

#initialize ⇒ `TlsConfig`

Returns a new instance of TlsConfig.