From 29c0304921edbe500e2df9f5ff8df3afc33fa52c Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Sun, 8 Oct 2017 19:37:19 -0300 Subject: [PATCH] Add tls session ticket key setting --- configuration.md | 5 +++++ pkg/nginx/config/config.go | 6 ++++++ pkg/nginx/controller/nginx.go | 13 ++++++++++++- rootfs/etc/nginx/template/nginx.tmpl | 4 ++++ 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/configuration.md b/configuration.md index 7dd9beeae..fd0edaa78 100644 --- a/configuration.md +++ b/configuration.md @@ -516,6 +516,11 @@ Default is "true". **ssl-session-tickets:** Enables or disables session resumption through [TLS session tickets](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets). +**ssl-session-ticket-key:** sets the secret key used to encrypt and decrypt TLS session tickets. The value must be a valid base64 string. +http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets +By default, a randomly generated key is used. +To create a ticket: `openssl rand 80 | base64 -w0` + **ssl-session-timeout:** Sets the time during which a client may [reuse the session](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout) parameters stored in a cache. **upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the `fail_timeout` parameter to consider the server unavailable. diff --git a/pkg/nginx/config/config.go b/pkg/nginx/config/config.go index 69660a097..0d9a6f165 100644 --- a/pkg/nginx/config/config.go +++ b/pkg/nginx/config/config.go @@ -297,6 +297,12 @@ type Configuration struct { // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets SSLSessionTickets bool `json:"ssl-session-tickets,omitempty"` + // Sets the secret key used to encrypt and decrypt TLS session tickets. + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets + // By default, a randomly generated key is used. + // Example: openssl rand 80 | base64 -w0 + SSLSessionTicketKey string `json:"ssl-session-ticket-key,omitempty"` + // Time during which a client may reuse the session parameters stored in a cache. // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout SSLSessionTimeout string `json:"ssl-session-timeout,omitempty"` diff --git a/pkg/nginx/controller/nginx.go b/pkg/nginx/controller/nginx.go index 55796c50b..dc89f86b2 100644 --- a/pkg/nginx/controller/nginx.go +++ b/pkg/nginx/controller/nginx.go @@ -18,6 +18,7 @@ package controller import ( "bytes" + "encoding/base64" "errors" "fmt" "io/ioutil" @@ -480,7 +481,17 @@ func (n *NGINXController) SetConfig(cmap *apiv1.ConfigMap) { } } - n.backendDefaults = ngx_template.ReadConfig(m).Backend + c := ngx_template.ReadConfig(m) + if c.SSLSessionTicketKey != "" { + d, err := base64.StdEncoding.DecodeString(c.SSLSessionTicketKey) + if err != nil { + glog.Warningf("unexpected error decoding key ssl-session-ticket-key: %v", err) + c.SSLSessionTicketKey = "" + } + ioutil.WriteFile("/etc/nginx/tickets.key", d, 0644) + } + + n.backendDefaults = c.Backend } // SetListers sets the configured store listers in the generic ingress controller diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index f8f1c0d08..00aa4e42a 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -209,6 +209,10 @@ http { # allow configuring ssl session tickets ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }}; + {{ if not (empty $cfg.SSLSessionTicketKey ) }} + ssl_session_ticket_key /etc/nginx/tickets.key; + {{ end }} + # slightly reduce the time-to-first-byte ssl_buffer_size {{ $cfg.SSLBufferSize }};