- Introduction
- Licensing
- Features
- Hardware Requirements
- Software Requirements
- Additional Information
- Limitations
- Installation Instructions
- SSL Engine Framework for Configuration
- Support for Nginx level Polling
- Known Issues
- Intended Audience
- Legal
Nginx* [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. This project provides an extended Nginx working with asynchronous mode OpenSSL*. With Intel® QuickAssist Technology(QAT) acceleration, the asynchronous mode Nginx can provide significant performance improvement.
The Licensing of the files within this project is:
Intel® Quickassist Technology (QAT) Async Mode Nginx - BSD License. Please
see the LICENSE file contained in the top level folder. Further details can
be found in the file headers of the relevant files.
- Asynchronous Mode in SSL/TLS processing (including http/stream/mail/proxy module)
- SSL Engine Framework for engine configuraion
- Support for external polling mode and heursitic polling mode
- Release hardware resource during worker is shutting down (For more details information, please read modules/nginx_qat_module/README)
- Support OpenSSL Cipher PIPELINE feature
Async Mode Nginx supports Crypto offload to the following acceleration devices:
This release was validated on the following:
- OpenSSL-1.1.0h
- QAT engine v0.5.37
- Async Mode Nginx SSL engine framework provides new directives:
Directives
Syntax: ssl_asynch on | off;
Default: ssl_asynch off;
Context: stream, mail, http, server
Enables SSL/TLS asynchronous modeExample
file: conf/nginx.conf
http {
ssl_asynch on;
server {...}
} stream {
ssl_asynch on;
server {...}
}Directives
Syntax: proxy_ssl_asynch on | off;
Default: proxy_ssl_asynch off;
Context: stream, http, server
Enables the SSL/TLS protocol asynchronous mode for connections to a proxied server.Example
file: conf/nginx.conf
http {
server {
location /ssl {
proxy_pass https://127.0.0.1:8082/outer;
proxy_ssl_asynch on;
}
}
}- Async Mode Nginx provide new option
asynchforlistendirective.
Example
file: conf/nginx.conf
http {
server{ listen 443 asynch; }
}- Support OpenSSL Cipher PIPELINE feature (Deitals information about the pipeline settings, please refer to OpenSSL Docs)
Directives
Syntax: ssl_max_pipelines size;
Default: ssl_max_pipelines 0;
Context: server
Set MAX number of pipelinesDirectives
Syntax: ssl_split_send_fragment size;
Default: ssl_split_send_fragment 0;
Context: server
Set split size of sending fragmentDirectives
Syntax: ssl_max_send_fragment size;
Default: ssl_max_send_fragment 0;
Context: server
Set max number of sending fragment-
Nginx supports
reloadoperation, when QAT hardware is involved for crypto offload, user should enure that there are enough number of qat instances. For example, the available qat instance number should be 2x equal or more than Nginx worker process number.For example, in Nginx configuration file (
nginx.conf) worker process number is configured asworker_processes 16;Then the instance configuration in QAT driver configuration file should be
[SHIM] NumberCyInstances = 1 NumberDcInstances = 0 NumProcesses = 32 LimitDevAccess = 1
Set the following environmental variables:
NGINX_INSTALL_DIR is the directory where nginx will be installed to
OPENSSL_LIB is the directory where the openssl has been installed to
Configure nginx for compilation:
./configure \
--prefix=$NGINX_INSTALL_DIR \
--with-http_ssl_module \
--add-dynamic-module=modules/nginx_qat_module/ \
--with-cc-opt="-DNGX_SECURE_MEM -I$OPENSSL_LIB/include -Wno-error=deprecated-declarations" \
--with-ld-opt="-Wl,-rpath=$OPENSSL_LIB/lib -L$OPENSSL_LIB/lib"Compile and Install:
make
make installThese instructions can be found on QAT engine
As QAT engine is implemented as a standard OpenSSL* engine, its behavior can be
controlled from the OpenSSL* configuration file (openssl.conf), which can be
found on QAT engine.
Note:
From v0.3.2 and later, this kind of configuration in openssl.conf will not be
effective for Nginx. Please use the following method to configure Nginx SSL
engine, such as Intel® QAT.
An SSL Engine Framework is introduced to provide a more powerful and flexible
mechanism to configure Nginx SSL engine direclty in the Nginx configuration file
(nginx.conf).
A new configuration block is introduced as ssl_engine which provides two
general directives:
Syntax: use_engine [engine name];
Default: N/A
Context: ssl_engine
Description:
Specify the engine nameSyntax: default_algorithms [ALL/RSA/EC/...];
Default: ALL
Context: ssl_engine
Description:
Specify the algorithms need to be offloaded to the engine
More details information please refer to OpenSSL engineA following configuration sub-block can be used to set engine specific
configuration. The name of the sub-block should have a prefix using the
engine name specified in use_engine, such as [engine_name]_engine.
Any 3rd party modules can be intergrated into this framwork. By default, a
reference module dasync_module is provided in src/engine/modules
and a QAT module nginx_qat_module is provided in modules/nginx_qat_modules.
An example configuration in the nginx.conf:
load_module modules/ngx_ssl_engine_qat_module.so;
...
ssl_engine {
use_engine qat;
default_algorithms RSA,EC,DH,PKEY_CRYPTO;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_shutting_down_release on;
}
}For more details directives of nginx_qat_module, please refer to
modules/nginx_qat_modules/README.
The qat_module provides two kinds of nginx side polling for QAT engine,
- external polling mode
- heuristic polling mode
Please refer to the README file in the modules/nginx_qat_modules directory
to install this dynamic module.
Note: External polling and heuristic polling are unavailable in SSL proxy and stream module up to current release.
A timer-based polling is employed in each Nginx worker process to collect accelerator's response.
**Directives in the qat_module **
Syntax: qat_external_poll_interval time;
Default: 1
Dependency: Valid if (qat_poll_mode=external)
Context: qat_engine
Description:
External polling time interval (ms)
Valid value: 1 ~ 1000Example file: conf/nginx.conf
load_module modules/ngx_ssl_engine_qat_module.so;
...
ssl_engine {
use_engine qat;
default_algorithms ALL;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode external;
qat_external_poll_interval 1;
}
}This mode can be regarded as an improvement of the timer-based external polling. It is the recommended polling mode to communicate with QAT accelerators because of its performance advantages. With the knowledge of the offload traffic, it controls the response reaping rate to match the request submission rate so as to maximize system efficiency with moderate latency, and adapt well to diverse types of network traffics.
Note:
- This mode is only available when using QAT engine v0.5.35 or later.
- External polling timer is enabled by default when heruistic polling mode is enabled.
In the heuristic polling mode, a polling operation is only trigerred at a proper moment:
- Number of in-flight offload requests reaches a pre-defined threshold (in consideration of efficiency)
- All the active SSL connections have submitted their cryptographic requests and been waitting for the corresponding responses (in consideration of timeliness).
**Directives in the qat_module **
Syntax: qat_heuristic_poll_asym_threshold num;
Default: 48
Dependency: Valid if (qat_poll_mode=heuristic)
Context: qat_engine
Description:
Threshold of the number of in-flight requests to trigger a polling
operation when there are in-flight asymmetric crypto requests
Valid value: 1 ~ 512
Syntax: qat_heuristic_poll_sym_threshold num;
Default: 24
Dependency: Valid if (qat_poll_mode=heuristic)
Context: qat_engine
Description:
Threshold of the number of in-flight requests to trigger a polling
operation when there is no in-flight asymmetric crypto request
Valid value: 1 ~ 512Example
file: conf/nginx.conf
load_module modules/ngx_ssl_engine_qat_module.so;
...
ssl_engine {
use_engine qat;
default_algorithms ALL;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_heuristic_poll_asym_threshold 48;
qat_heuristic_poll_sym_threshold 24;
}
}** 'Orphan ring' errors in dmesg output when Nginx exit **
Working with current QAT driver (version 1.0.3 in 01.org), Nginx workers exit
with 'Orphan ring' errors. This issue has been fixed in next QAT driver release
** Cache manager/loader process will allocate QAT instance via QAT engine **
According to current QAT engine design, child process forked by master
process will initialize QAT engine automatically in QAT engine atfork
hook function. If cache manager/loader processes are employed, QAT instances
will be allocated in the same way as worker process. Cache manager/loader
processes do not perform modules' exit process method in Nginx native design
which will introduce "Orphan ring" error message in dmesg output.
The target audience may be software developers, test and validation engineers, system integrators, end users and consumers for Async Mode Nginx integrated Intel® Quick Assist Technology.
Intel® disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.
This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact your Intel® representative to obtain the latest forecast , schedule, specifications and roadmaps.
The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.
Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting www.intel.com/design/literature.htm.
Intel, the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others