To me, the Nginx docs about how ssl_session_cache works, is a bit unclear. I'm wondering if this:
ssl_session_cache shared:SSL:10m;
declared either in the http block, or in each server (i.e. virtual host) block, results in 1) one single global cache named SSL, 10 MB large. Or 2) in one 10 MB cache per server, with combined size of all caches = num servers x 10 MB.
The docs:
shared
a cache shared between all worker processes. The cache size is specified in bytes; one megabyte can store about 4000 sessions. Each shared cache should have an arbitrary name. A cache with the same name can be used in several virtual servers.
If there'll be just one single cache, then I'd like to multiply its size with the number of servers. So, if I have 5 servers (i.e. 5 virtual hosts), then I'd place ssl_session_cache in the http block and:
ssl_session_cache shared:SSL:50m; # 10 * 5 = 50
So, the question: Does ssl_session_cache shared:SSL:10m; create one 10 MB cache per server, or one 10 MB cache for all servers?
If it's per server, then is there no way to configure one single global cache, for all servers, instead? (If not possible, then why not, in case anyone knows?) Seems to me as if that would result in more efficient memory usage. (Because one server with many clients, could then use the memory that would otherwise have been dedicated to some other server that might have zero clients for the moment.)
Looking at the implementation of ssl_session_cache by ngx_http_ssl_session_cache in nxg_http_ssl_module.c, it creates one shared memory zone named "SSL", i.e. one ssl session cache.
Any subsequent call to ssl_session_cache retrieves the previously configured shared memory zone named "SSL", instead of creating a new one (cmp. ngx_shared_memory_add in ngx_cycle.c).
This can easily be verified by configuring different sizes for the same name like so:
...
ssl_session_cache shared:SSL:4m;
server {
...
ssl_session_cache shared:SSL:50m;
}
This results in an error message such as:
[emerg] the size 52428800 of shared memory zone "SSL" conflicts with already declared size 4194304 in /etc/nginx/nginx.conf:37
Details (KajMagnus added)
The shared memory zone gets added here:
sscf->shm_zone = ngx_shared_memory_add(cf, &name, n,
&ngx_http_ssl_module);
and as you can see, different names result in different caches being created. So, one can have many different shared memory caches, each one with its own unique name. However, each server, can use only one shared SSL memory zone — there's just one shm_zone per SSL server config, on the ngx_http_ssl_srv_conf_t *sscf structure.
tl;dr Whether a SSL session cache is declared at http or server level does not matter. The same cache is used as long as the same name is assigned to the cache. To prevent an error message for caches with the same name the same size must be used throughout.