Conversation

It's quite annoying that this isn't built-in to nginx: github.com/GrapheneOS/ngi It should rotate the TLS ticket keys like Caddy. It's similarly to how you need to handle OCSP with an external script for nginx in order to make it work reliably. It could easily do it internally.

github.com

GitHub - GrapheneOS/nginx-rotate-session-ticket-keys: Session ticket key rotation scripting /...

Session ticket key rotation scripting / systemd units for nginx to work around the lack of built-in support. This may eventually be extended to support syncing keys across a group of servers provid...

Daniel Micay

@DanielMicay

May 3, 2021

You still need to handle it externally in order to sync them to across multiple servers providing the same service. It shouldn't be necessary for the common case. github.com/tomwassenberg/ is what's needed for implementing OCSP stapling reliably. Could be so much simpler in nginx.

Daniel Micay

@DanielMicay

May 3, 2021

Caddy is the only option handling either of these things properly. It doesn't work for our use cases though. If you have simpler needs then that's a good way to avoid dealing with this kind of nonsense yourself. TLS 1.3 makes the ticket situation better but it's still a problem.

Replying to

I'm at least happy that the "minimal configuration" of Caddy makes it easy to do tickets properly. I think nginx and others need to change their defaults with an easy flag to revert if needed instead of just being afraid to change any defaults.

Replying to

Caddy deals with OCSP stapling properly too. I don't think the nginx developers are afraid to change defaults but rather they're satisfied with having a way to do it externally. The nginx core code and particularly TLS also don't really seem to be their priorities right now.

Replying to

Conspiracy theory brain says it’s so they can make money on their business products. But oh well thanks for the heads up that I’m at least good with using caddy.

Daniel Micay

@DanielMicay

Replying to

@jmpebx

They have a bunch of other open source projects like NGINX Unit and their commercial offerings. Caddy has most of the low-level things handled for it via Go and simply doesn't have the same performance aims. It doesn't have to deal with providing AIO, etc. since Go does it.

8:23 PM · May 3, 2021Twitter Web App

Replying to

Ah okay that makes sense. Thank you for clearing that up! I don’t have as much time anymore to keep up so it’s really nice to hear about these things from a trusted source.

Replying to

and

For example, Go provides dynamic TLS record sizing which is a nice feature for getting great latency and throughput rather than choosing a compromise. nginx is one of the few servers not doing it yet. Caddy doesn't need to do AIO. Go deals with it and abstracts it, at a cost.

Replying to

and

nginx needs to implement the whole event loop and also an AIO thread pool. At the moment, the AIO thread pool only covers read/write and not open. Open has to check a bunch of filesystem metadata in the kernel as it walks the path. In nginx, that blocks the whole event loop.

Show replies