It's quite annoying that this isn't built-in to nginx:
github.com/GrapheneOS/ngi
It should rotate the TLS ticket keys like Caddy. It's similarly to how you need to handle OCSP with an external script for nginx in order to make it work reliably. It could easily do it internally.
Conversation
You still need to handle it externally in order to sync them to across multiple servers providing the same service. It shouldn't be necessary for the common case.
github.com/tomwassenberg/ is what's needed for implementing OCSP stapling reliably. Could be so much simpler in nginx.
1
Caddy is the only option handling either of these things properly. It doesn't work for our use cases though. If you have simpler needs then that's a good way to avoid dealing with this kind of nonsense yourself.
TLS 1.3 makes the ticket situation better but it's still a problem.
3
1
Replying to
I'm at least happy that the "minimal configuration" of Caddy makes it easy to do tickets properly. I think nginx and others need to change their defaults with an easy flag to revert if needed instead of just being afraid to change any defaults.
1
Replying to
Caddy deals with OCSP stapling properly too.
I don't think the nginx developers are afraid to change defaults but rather they're satisfied with having a way to do it externally.
The nginx core code and particularly TLS also don't really seem to be their priorities right now.
1
2
Replying to
Conspiracy theory brain says it’s so they can make money on their business products. But oh well thanks for the heads up that I’m at least good with using caddy.
1
Replying to
They have a bunch of other open source projects like NGINX Unit and their commercial offerings.
Caddy has most of the low-level things handled for it via Go and simply doesn't have the same performance aims. It doesn't have to deal with providing AIO, etc. since Go does it.
2
For example, Go provides dynamic TLS record sizing which is a nice feature for getting great latency and throughput rather than choosing a compromise. nginx is one of the few servers not doing it yet.
Caddy doesn't need to do AIO. Go deals with it and abstracts it, at a cost.
nginx needs to implement the whole event loop and also an AIO thread pool. At the moment, the AIO thread pool only covers read/write and not open.
Open has to check a bunch of filesystem metadata in the kernel as it walks the path. In nginx, that blocks the whole event loop.
1
You get a lot from using Go rather than doing everything from scratch in C. It certainly doesn't perform as well (M:N threading has a high cost, as does tracing GC to a lesser extent). It has limitations too, but they get fixed in the language for all applications using it.