From 85e94c53e2380b8a24dc9100666fb8f5af1593f4 Mon Sep 17 00:00:00 2001 From: Mo Chen Date: Mon, 15 Jun 2026 14:37:02 -0500 Subject: [PATCH] net: count application bytes in read_bytes for TLS On TLS connections, net.read_bytes was only counting some bytes for the handshake, and none of the incoming ciphertext. This is neither intuitive nor consistent with net.write_bytes. The fix for now is to make it symmetric with net.write_bytes. Count the plaintext bytes for TLS. This means not counting the handshake bytes. For a long term fix, I plan to add more comprehensive metrics for TLS. --- .../statistics/core/network-io.en.rst | 19 +++++++++++++++++++ src/iocore/net/SSLNetVConnection.cc | 5 +++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/admin-guide/monitoring/statistics/core/network-io.en.rst b/doc/admin-guide/monitoring/statistics/core/network-io.en.rst index 56168ab9595..f26d51457cc 100644 --- a/doc/admin-guide/monitoring/statistics/core/network-io.en.rst +++ b/doc/admin-guide/monitoring/statistics/core/network-io.en.rst @@ -79,10 +79,29 @@ Network I/O :type: counter :units: bytes + Application-layer bytes read from client and origin connections. For TLS + connections this is the decrypted payload, symmetric with ``write_bytes``; it + does not include TLS handshake or record-layer framing. + +.. ts:stat:: global proxy.process.net.read_bytes_count integer + :type: counter + + The number of read operations that contributed to ``read_bytes``. For TLS + connections this is one per decrypted-read pass, not per socket read. + .. ts:stat:: global proxy.process.net.write_bytes integer :type: counter :units: bytes + Application-layer bytes written to client and origin connections. For TLS + connections this is the plaintext payload; it does not include TLS handshake + or record-layer framing. + +.. ts:stat:: global proxy.process.net.write_bytes_count integer + :type: counter + + The number of write operations that contributed to ``write_bytes``. + .. ts:stat:: global proxy.process.tcp.total_accepts integer :type: counter diff --git a/src/iocore/net/SSLNetVConnection.cc b/src/iocore/net/SSLNetVConnection.cc index 95b7e57f11a..d5215b8b254 100644 --- a/src/iocore/net/SSLNetVConnection.cc +++ b/src/iocore/net/SSLNetVConnection.cc @@ -287,6 +287,9 @@ SSLNetVConnection::_ssl_read_from_net(int64_t &ret) Dbg(dbg_ctl_ssl, "bytes_read=%" PRId64, bytes_read); s->vio.ndone += bytes_read; + // Decrypted application bytes, to match write_bytes (also plaintext for TLS). + Metrics::Counter::increment(net_rsb.read_bytes, bytes_read); + Metrics::Counter::increment(net_rsb.read_bytes_count); this->netActivity(); ret = bytes_read; @@ -351,8 +354,6 @@ SSLNetVConnection::read_raw_data() r = total_read - rattempted + r; } } - Metrics::Counter::increment(net_rsb.read_bytes, r); - Metrics::Counter::increment(net_rsb.read_bytes_count); if (!this->haveCheckedProxyProtocol) { // The PROXY Protocol, by spec, is designed to require only the first TCP packet of bytes