SSL application configuration

[mmzeeman]

When you have a busy site with lots of ssl connections the default configuration options of the ssl session manager don't really work. It may keeps ssl sessions for 24 hours, but has just room for 1000 sessions in the table. When the table is full, all sessions in the table are invalidated. When you have a busy site you see this happen often and the ssl_manager's mailbox is filled with hundreds of messages.

Something needs to be written about this somewhere, and the erlang.config.in needs good ssl session defaults which works for web-servers. Maybe something like this?

%%% Ssl application defaults. 
 {ssl, [
  {session_cache_server_max, 20000}, % Increase when you have a lot of connections 
  {session_lifetime, 300}, % 5 minutes (in seconds).
  {ssl_pem_cache_clean, 300000} % Clean pem cache every 5 minutes. (in milliseconds)
 ]},

[arjan]

Yes it could go in our erlang.config, right?

[mmzeeman]

Yes, that is where it should end up.

Should we add a warning message for when these settings are not changed?

[mmzeeman]

The defaults NGINX uses look sensible to me. About 20000 entries and 5 minute session expiration time. It mentions that 4000 sessions take up 1 Mb of memory.

[ddeboer]

Agreed on the NGINX defaults. @mmzeeman Please open a PR with these lines added to erlang.config.in (or zotonic.config.in?). Can you also add instructions on how to change this to http://zotonic.com/docs/latest/ref/modules/mod_ssl.html?

[ddeboer]

@mmzeeman Has this issue been satisfactorily fixed in #1337?