{"id":16366750,"url":"https://github.com/centminmod/centminmod-nginx-session-ticket-keys","last_synced_at":"2026-02-17T09:30:17.699Z","repository":{"id":80279571,"uuid":"550247303","full_name":"centminmod/centminmod-nginx-session-ticket-keys","owner":"centminmod","description":null,"archived":false,"fork":false,"pushed_at":"2022-10-14T21:45:59.000Z","size":37,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-12-31T01:41:53.309Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/centminmod.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-12T12:45:03.000Z","updated_at":"2022-10-12T14:23:46.000Z","dependencies_parsed_at":null,"dependency_job_id":"e3fee133-28a5-44b6-ae1c-fa811b63bf6d","html_url":"https://github.com/centminmod/centminmod-nginx-session-ticket-keys","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fcentminmod-nginx-session-ticket-keys","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fcentminmod-nginx-session-ticket-keys/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fcentminmod-nginx-session-ticket-keys/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fcentminmod-nginx-session-ticket-keys/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/centminmod","download_url":"https://codeload.github.com/centminmod/centminmod-nginx-session-ticket-keys/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239828400,"owners_count":19703859,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-11T02:47:28.036Z","updated_at":"2026-02-17T09:30:17.652Z","avatar_url":"https://github.com/centminmod.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"Setup rotating Nginx TLS session tickey keys on Centmin Mod Nginx based servers via [`ssl_session_ticket_key`](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key) instead of using Nginx's built-in key.\n\n# Initial Setup\n\nOn Centmin Mod based Nginx server\n\n```\nwget -O /usr/local/bin/manage-session-keys https://github.com/centminmod/centminmod-nginx-session-ticket-keys/raw/master/manage-session-keys\nchmod +x /usr/local/bin/manage-session-keys\n/usr/local/bin/manage-session-keys setup\n\nsystemctl status nginx-create-session-ticket-keys.service\nsystemctl status usr-local-nginx-conf-session_ticket_keys.mount\n```\n\nThe session ticket keys are saved to a ramdisk mounted directory at `/usr/local/nginx/conf/session_ticket_keys`\n\n```\ndf -hT /usr/local/nginx/conf/session_ticket_keys\nFilesystem     Type   Size  Used Avail Use% Mounted on\ntmpfs          tmpfs   16G   32K   16G   1% /usr/local/nginx/conf/session_ticket_keys\n```\n\n# Manual Usage:\n\n\n`/usr/local/bin/manage-session-keys` usage:\n\n```\nUsage:\n\n/usr/local/bin/manage-session-keys setup\n/usr/local/bin/manage-session-keys create\n/usr/local/bin/manage-session-keys rotate\n/usr/local/bin/manage-session-keys uninstall\n/usr/local/bin/manage-session-keys status\n/usr/local/bin/manage-session-keys check-domain yourdomain.com\n```\n\nAdd to each Centmin Mod Nginx Vhosts with HTTPS enabled i.e. `/usr/local/nginx/conf/conf.d/domain.com.ssl.conf` the following:\n\n```\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/1.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/2.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/3.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/4.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/5.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/6.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/7.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/8.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/9.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/10.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/11.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/12.key;\n```\n\nExample excerpt\n\n```\nserver {\n  listen 443 ssl http2;\n  server_name domain.com www.domain.com;\n\n  include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;\n  include /usr/local/nginx/conf/ssl_include.conf;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/1.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/2.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/3.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/4.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/5.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/6.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/7.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/8.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/9.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/10.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/11.key;\n  ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/12.key;\n```\n\nOr instead of within each Nginx vhost, add globally to existing include file `/usr/local/nginx/conf/ssl_include.conf` via a new include file `/usr/local/nginx/conf/ssl-session-ticket-keys.conf`.\n\nExisting `/usr/local/nginx/conf/ssl_include.conf`include file with added `/usr/local/nginx/conf/ssl-session-ticket-keys.conf` include file:\n```\nssl_session_cache      shared:SSL:10m;\nssl_session_timeout    60m;\nssl_protocols  TLSv1.2 TLSv1.3;\ninclude /usr/local/nginx/conf/ssl-session-ticket-keys.conf;\n```\n\nIn `/usr/local/nginx/conf/ssl-session-ticket-keys.conf`\n\n```\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/1.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/2.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/3.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/4.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/5.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/6.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/7.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/8.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/9.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/10.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/11.key;\nssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/12.key;\n```\n\n**Notes**\n\n* `/usr/local/nginx/conf/ssl-session-ticket-keys.conf` is automatically created and populated if you run `/usr/local/bin/manage-session-keys setup` from [initial setup](#initial-setup) steps.\n\n# Check Domain's Session Resumption\n\nWhere the `0000: ` line is first part of the session ticket key's hex bytes\n\n```\n/usr/local/bin/manage-session-keys check-domain domain.com\n------------------------------------------\nNew-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    Session-ID: 88EFBC7609076696D65C7ED3D7EE8658461928BA4D6FB95EB137DCD2D4595728\n    Master-Key: CA12DB554A6000A15D0632810EB606F0E5D0EE62CA40BCB1EC24ACBBA29FE2B00B03DA9282AC314C40AD1C6E40187B30\n    TLS session ticket lifetime hint: 600 (seconds)\n    0000: 3d 86 62 77 bd 61 a9 ac-f3 e5 09 a0 81 0d cf 2a   =.bw.a.........*\n    Start Time: 1665605339\n------------------------------------------\nReused-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    Session-ID: 88EFBC7609076696D65C7ED3D7EE8658461928BA4D6FB95EB137DCD2D4595728\n    Master-Key: CA12DB554A6000A15D0632810EB606F0E5D0EE62CA40BCB1EC24ACBBA29FE2B00B03DA9282AC314C40AD1C6E40187B30\n    TLS session ticket lifetime hint: 600 (seconds)\n    0000: 3d 86 62 77 bd 61 a9 ac-f3 e5 09 a0 81 0d cf 2a   =.bw.a.........*\n    Start Time: 1665605339\n------------------------------------------\n    nginx process ids: 12375 12360 12357 12340 12291 12290 12289 12288 12287 12286\n```\n\nChecking multiple domains on the Centmin Mod server via comma separated domain list. These 2 domains are on different server IP addresses on same server.\n\n```\n/usr/local/bin/manage-session-keys check-domain domain1.com,domain2.com\n------------------------------------------\nchecking: domain1.com TLS resumption\n------------------------------------------\nNew-TLSv1-SSLv3-Cipher: ECDHE-ECDSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256\n    Session-ID: 7CBB3CB6A4BCEC1659C7EA960AF57724F01D1D3CBAD5EEEF6A553E800418D8F9\n    Master-Key: 28285EDD4AEB43DAA2BF71A6AFF9C9137C31084DF1FC2CCF0C5B2AD5064C7D2F783D1DF9E51F790D6744937303BB1563\n    TLS session ticket lifetime hint: 3600 (seconds)\n    0000: 0c 1d c9 e8 41 7c e9 fb-06 19 51 4a 24 8b fb 42   ....A|....QJ$..B\n    Start Time: 1665620404\n------------------------------------------\nReused-TLSv1-SSLv3-Cipher: ECDHE-ECDSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256\n    Session-ID: 7CBB3CB6A4BCEC1659C7EA960AF57724F01D1D3CBAD5EEEF6A553E800418D8F9\n    Master-Key: 28285EDD4AEB43DAA2BF71A6AFF9C9137C31084DF1FC2CCF0C5B2AD5064C7D2F783D1DF9E51F790D6744937303BB1563\n    TLS session ticket lifetime hint: 3600 (seconds)\n    0000: 0c 1d c9 e8 41 7c e9 fb-06 19 51 4a 24 8b fb 42   ....A|....QJ$..B\n    Start Time: 1665620404\n------------------------------------------\nchecking: domain2.com TLS resumption\n------------------------------------------\nNew-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    Session-ID: 3053542003A97977504D03B7E3CFA29FA8FEB172BA0C9CD0308B5E97737DEC76\n    Master-Key: 2548FA5D22966F3A678458FEF126577DC1E2B1D7C128BE8E263D3956238E74E8A3EC9375FA59E2D84A7323EBC04F6B79\n    TLS session ticket lifetime hint: 600 (seconds)\n    0000: c6 aa 2c 0e 14 89 9b 57-34 a3 20 d3 0d 0f 82 33   ..,....W4. ....3\n    Start Time: 1665620404\n------------------------------------------\nReused-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    Session-ID: 3053542003A97977504D03B7E3CFA29FA8FEB172BA0C9CD0308B5E97737DEC76\n    Master-Key: 2548FA5D22966F3A678458FEF126577DC1E2B1D7C128BE8E263D3956238E74E8A3EC9375FA59E2D84A7323EBC04F6B79\n    TLS session ticket lifetime hint: 600 (seconds)\n    0000: c6 aa 2c 0e 14 89 9b 57-34 a3 20 d3 0d 0f 82 33   ..,....W4. ....3\n    Start Time: 1665620404\n------------------------------------------\n    nginx process ids: 49459 39206 39189 39172 39155 39122 39105 39104 39103 39102\n```\n\n# Check Nginx TLS Session Key Rotation\n\nCheck Centmin Mod Nginx's vhost session ticket key rotation where the `0000: ` line is first part of the session ticket key's hex bytes\n\n```\n# check\n/usr/local/bin/manage-session-keys check-domain domain.com\n------------------------------------------\nNew-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    Session-ID: 88EFBC7609076696D65C7ED3D7EE8658461928BA4D6FB95EB137DCD2D4595728\n    Master-Key: CA12DB554A6000A15D0632810EB606F0E5D0EE62CA40BCB1EC24ACBBA29FE2B00B03DA9282AC314C40AD1C6E40187B30\n    TLS session ticket lifetime hint: 600 (seconds)\n    0000: 3d 86 62 77 bd 61 a9 ac-f3 e5 09 a0 81 0d cf 2a   =.bw.a.........*\n    Start Time: 1665605339\n------------------------------------------\nReused-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    Session-ID: 88EFBC7609076696D65C7ED3D7EE8658461928BA4D6FB95EB137DCD2D4595728\n    Master-Key: CA12DB554A6000A15D0632810EB606F0E5D0EE62CA40BCB1EC24ACBBA29FE2B00B03DA9282AC314C40AD1C6E40187B30\n    TLS session ticket lifetime hint: 600 (seconds)\n    0000: 3d 86 62 77 bd 61 a9 ac-f3 e5 09 a0 81 0d cf 2a   =.bw.a.........*\n    Start Time: 1665605339\n------------------------------------------\n    nginx process ids: 12375 12360 12357 12340 12291 12290 12289 12288 12287 12286\n```\n```\n# rotate session ticket keys\nsystemctl restart nginx-rotate-session-ticket-keys.timer\n\n# recheck\n/usr/local/bin/manage-session-keys check-domain domain.com\n------------------------------------------\nNew-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    Session-ID: 046839BE610F884D09869838CF17EC18B3B906E2FBE597CEB36F213F3AACAB2A\n    Master-Key: 1CB501C785333C599D9B4E8920D249E5DCB780A50471E46405F01AD0E84A726DC60890D1D24AEC6DB2A2139F420E7A73\n    TLS session ticket lifetime hint: 600 (seconds)\n    0000: c6 aa 2c 0e 14 89 9b 57-34 a3 20 d3 0d 0f 82 33   ..,....W4. ....3\n    Start Time: 1665608624\n------------------------------------------\nReused-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    Session-ID: 046839BE610F884D09869838CF17EC18B3B906E2FBE597CEB36F213F3AACAB2A\n    Master-Key: 1CB501C785333C599D9B4E8920D249E5DCB780A50471E46405F01AD0E84A726DC60890D1D24AEC6DB2A2139F420E7A73\n    TLS session ticket lifetime hint: 600 (seconds)\n    0000: c6 aa 2c 0e 14 89 9b 57-34 a3 20 d3 0d 0f 82 33   ..,....W4. ....3\n    Start Time: 1665608624\n------------------------------------------\n    nginx process ids: 35751 35724 35717 35700 35667 35650 35649 35648 35647 18030\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcentminmod%2Fcentminmod-nginx-session-ticket-keys","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcentminmod%2Fcentminmod-nginx-session-ticket-keys","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcentminmod%2Fcentminmod-nginx-session-ticket-keys/lists"}