|
|
|
|
|
|
by skuhn
4226 days ago
|
|
|
nginx does have the minimum necessary support to handle shared session ticket keys. It would be nice if it did more for you out-of-the-box, but I'm more interested in practical solutions that work today. You can specify ssl_session_ticket_key multiple times, and the subsequent declarations are used for decryption only. It does take some elbow grease to implement the tooling around this, and it's unlikely that many people have bothered, but they should. 1. Generate new key on a master host (store only on tmpfs partition for extra points)
2. Somehow get it on all of the relevant hosts securely, such as by using lsyncd
3. Add new key to end of list of ssl_session_ticket directives
4. Reload all nginxes that answer a particular address
5. Move new key to top of list
6. Reload all nginxes that answer a particular address
(after I wrote this, I noticed it was pretty similar to Twitter's idea. I guess great minds think alike.) |
|
|