It's quite annoying that this isn't built-in to nginx:
github.com/GrapheneOS/ngi
It should rotate the TLS ticket keys like Caddy. It's similarly to how you need to handle OCSP with an external script for nginx in order to make it work reliably. It could easily do it internally.
Conversation
You still need to handle it externally in order to sync them to across multiple servers providing the same service. It shouldn't be necessary for the common case.
github.com/tomwassenberg/ is what's needed for implementing OCSP stapling reliably. Could be so much simpler in nginx.
1
Caddy is the only option handling either of these things properly. It doesn't work for our use cases though. If you have simpler needs then that's a good way to avoid dealing with this kind of nonsense yourself.
TLS 1.3 makes the ticket situation better but it's still a problem.
3
1
Replying to
I'm at least happy that the "minimal configuration" of Caddy makes it easy to do tickets properly. I think nginx and others need to change their defaults with an easy flag to revert if needed instead of just being afraid to change any defaults.
1
Replying to
Caddy deals with OCSP stapling properly too.
I don't think the nginx developers are afraid to change defaults but rather they're satisfied with having a way to do it externally.
The nginx core code and particularly TLS also don't really seem to be their priorities right now.
Replying to
Conspiracy theory brain says it’s so they can make money on their business products. But oh well thanks for the heads up that I’m at least good with using caddy.
1
Replying to
They have a bunch of other open source projects like NGINX Unit and their commercial offerings.
Caddy has most of the low-level things handled for it via Go and simply doesn't have the same performance aims. It doesn't have to deal with providing AIO, etc. since Go does it.
2
Show replies