Session Ticket Rotation
Yichun Zhang (agentzh)
agentzh at gmail.com
Fri Oct 10 20:57:43 UTC 2014
On Mon, Sep 22, 2014 at 4:39 AM, Richard Fussenegger, BSc wrote:
> I'd like to implement built-in session ticket rotation. I know that it this
> was discussed before but it was never implemented. Right now a custom
> external ticket key system is supported. Admins with single installations
> and not enough knowledge about the topic are left with keys that are valid
> for the complete lifetime nginx is running.
Fortunately this does not have to be in the nginx core :)
We're using the ngx_lua module  to periodically update the session
ticket keys from external shared data services (like memcached).
To be more specific, we're using ngx_lua's init_worker_by_lua  to
create a re-occurring timer (via ngx.timer.at ) and fetch a new
ticket key from external data sources via the nonblocking
lua-resty-memcached library  and add that into the existing queue
used by OpenSSL via LuaJIT FFI .
Also, we use the lua_shared_dict  to reduce traffic to the external
data source online.
No patches are needed for the nginx core :)
In this "add-on" implementation, the ticket keys are also shared
across all our machines.
More information about the nginx-devel