Session Ticket Rotation

Yichun Zhang (agentzh) agentzh at
Fri Oct 10 20:57:43 UTC 2014


On Mon, Sep 22, 2014 at 4:39 AM, Richard Fussenegger, BSc wrote:
> I'd like to implement built-in session ticket rotation. I know that it this
> was discussed before but it was never implemented. Right now a custom
> external ticket key system is supported. Admins with single installations
> and not enough knowledge about the topic are left with keys that are valid
> for the complete lifetime nginx is running.

Fortunately this does not have to be in the nginx core :)

We're using the ngx_lua module [1] to periodically update the session
ticket keys from external shared data services (like memcached).

To be more specific, we're using ngx_lua's init_worker_by_lua [2] to
create a re-occurring timer (via [3]) and fetch a new
ticket key from external data sources via the nonblocking
lua-resty-memcached library [4] and add that into the existing queue
used by OpenSSL via LuaJIT FFI [5].

Also, we use the lua_shared_dict [6] to reduce traffic to the external
data source online.

No patches are needed for the nginx core :)

In this "add-on" implementation, the ticket keys are also shared
across all our machines.

Best regards,


More information about the nginx-devel mailing list