It's quite annoying that this isn't built-in to nginx:
github.com/GrapheneOS/ngi
It should rotate the TLS ticket keys like Caddy. It's similarly to how you need to handle OCSP with an external script for nginx in order to make it work reliably. It could easily do it internally.
Conversation
You still need to handle it externally in order to sync them to across multiple servers providing the same service. It shouldn't be necessary for the common case.
github.com/tomwassenberg/ is what's needed for implementing OCSP stapling reliably. Could be so much simpler in nginx.
1
Caddy is the only option handling either of these things properly. It doesn't work for our use cases though. If you have simpler needs then that's a good way to avoid dealing with this kind of nonsense yourself.
TLS 1.3 makes the ticket situation better but it's still a problem.
3
1
Replying to
Most of the stuff we need is already filed as feature requests. It's definitely a lot closer to providing everything we need these days.
We'd also need to check out how well it holds up to nginx in terms of resistance to denial of services attacks, which have been a major issue.
2
1
It's also easier to use nginx for everything including as a reverse proxy for other services like a mail server than partially migrating to something else.
I'm not particularly happy with nginx, partly due to the open core approach and development on the core stuff is glacial.

