Hello! On Mon, Sep 22, 2014 at 4:39 AM, Richard Fussenegger, BSc wrote: > I'd like to implement built-in session ticket rotation. I know that it this > was discussed before but it was never implemented. Right now a custom > external ticket key system is supported. Admins with single installations > and not enough knowledge about the topic are left with keys that are valid > for the complete lifetime nginx is running. >
Fortunately this does not have to be in the nginx core :) We're using the ngx_lua module [1] to periodically update the session ticket keys from external shared data services (like memcached). To be more specific, we're using ngx_lua's init_worker_by_lua [2] to create a re-occurring timer (via ngx.timer.at [3]) and fetch a new ticket key from external data sources via the nonblocking lua-resty-memcached library [4] and add that into the existing queue used by OpenSSL via LuaJIT FFI [5]. Also, we use the lua_shared_dict [6] to reduce traffic to the external data source online. No patches are needed for the nginx core :) In this "add-on" implementation, the ticket keys are also shared across all our machines. Best regards, -agentzh [1] https://github.com/openresty/lua-nginx-module [2] https://github.com/openresty/lua-nginx-module#init_worker_by_lua [3] https://github.com/openresty/lua-nginx-module#ngxtimerat [4] https://github.com/openresty/lua-resty-memcached [5] http://luajit.org/ext_ffi.html [6] https://github.com/openresty/lua-nginx-module#lua_shared_dict _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel