Session Ticket Rotation
Yichun Zhang (agentzh)
agentzh at gmail.com
Fri Oct 10 20:57:43 UTC 2014
Hello!
On Mon, Sep 22, 2014 at 4:39 AM, Richard Fussenegger, BSc wrote:
> I'd like to implement built-in session ticket rotation. I know that it this
> was discussed before but it was never implemented. Right now a custom
> external ticket key system is supported. Admins with single installations
> and not enough knowledge about the topic are left with keys that are valid
> for the complete lifetime nginx is running.
>
Fortunately this does not have to be in the nginx core :)
We're using the ngx_lua module [1] to periodically update the session
ticket keys from external shared data services (like memcached).
To be more specific, we're using ngx_lua's init_worker_by_lua [2] to
create a re-occurring timer (via ngx.timer.at [3]) and fetch a new
ticket key from external data sources via the nonblocking
lua-resty-memcached library [4] and add that into the existing queue
used by OpenSSL via LuaJIT FFI [5].
Also, we use the lua_shared_dict [6] to reduce traffic to the external
data source online.
No patches are needed for the nginx core :)
In this "add-on" implementation, the ticket keys are also shared
across all our machines.
Best regards,
-agentzh
[1] https://github.com/openresty/lua-nginx-module
[2] https://github.com/openresty/lua-nginx-module#init_worker_by_lua
[3] https://github.com/openresty/lua-nginx-module#ngxtimerat
[4] https://github.com/openresty/lua-resty-memcached
[5] http://luajit.org/ext_ffi.html
[6] https://github.com/openresty/lua-nginx-module#lua_shared_dict
More information about the nginx-devel
mailing list