From 7219130da47f3ab512f8d42b1731bdbc6448fe86 Mon Sep 17 00:00:00 2001 From: Maxime Ginters Date: Wed, 7 Aug 2019 16:04:09 -0400 Subject: [PATCH] Add nginx ssl_early_data option support --- docs/user-guide/nginx-configuration/configmap.md | 8 ++++++++ internal/ingress/controller/config/config.go | 9 +++++++++ rootfs/etc/nginx/template/nginx.tmpl | 2 ++ 3 files changed, 19 insertions(+) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 1a8b7dbad..b02de2596 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -488,6 +488,14 @@ Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html# Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`. +## ssl-early-data + +Enables or disables TLS 1.3 [early data](https://tools.ietf.org/html/rfc8446#section-2.3) + +This requires `ssl-protocols` to have `TLSv1.3` enabled. + +[ssl_early_data](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data). The default is: `false`. + ## ssl-session-cache Enables or disables the use of shared [SSL cache](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache) among worker processes. diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index ae5434516..24be58bfb 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -75,6 +75,10 @@ const ( // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols sslProtocols = "TLSv1.2" + // Disable TLS 1.3 early data + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + sslEarlyData = false + // Time during which a client may reuse the session parameters stored in a cache. // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout sslSessionTimeout = "10m" @@ -317,6 +321,10 @@ type Configuration struct { // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols SSLProtocols string `json:"ssl-protocols,omitempty"` + // Enables or disable TLS 1.3 early data. + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + SSLEarlyData bool `json:"ssl-early-data,omitempty"` + // Enables or disables the use of shared SSL cache among worker processes. // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache SSLSessionCache bool `json:"ssl-session-cache,omitempty"` @@ -683,6 +691,7 @@ func NewDefault() Configuration { SSLCiphers: sslCiphers, SSLECDHCurve: "auto", SSLProtocols: sslProtocols, + SSLEarlyData: sslEarlyData, SSLSessionCache: true, SSLSessionCacheSize: sslSessionCacheSize, SSLSessionTickets: true, diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index a00f6eaf0..6554156b0 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -353,6 +353,8 @@ http { ssl_protocols {{ $cfg.SSLProtocols }}; + ssl_early_data {{ if $cfg.SSLEarlyData }}on{{ else }}off{{ end }}; + # turn on session caching to drastically improve performance {{ if $cfg.SSLSessionCache }} ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};