https://github.com/centminmod/centminmod-nginx-session-ticket-keys
https://github.com/centminmod/centminmod-nginx-session-ticket-keys
Last synced: 5 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/centminmod/centminmod-nginx-session-ticket-keys
- Owner: centminmod
- Created: 2022-10-12T12:45:03.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2022-10-14T21:45:59.000Z (over 3 years ago)
- Last Synced: 2024-12-31T01:41:53.309Z (over 1 year ago)
- Language: Shell
- Size: 36.1 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: readme.md
Awesome Lists containing this project
README
Setup rotating Nginx TLS session tickey keys on Centmin Mod Nginx based servers via [`ssl_session_ticket_key`](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key) instead of using Nginx's built-in key.
# Initial Setup
On Centmin Mod based Nginx server
```
wget -O /usr/local/bin/manage-session-keys https://github.com/centminmod/centminmod-nginx-session-ticket-keys/raw/master/manage-session-keys
chmod +x /usr/local/bin/manage-session-keys
/usr/local/bin/manage-session-keys setup
systemctl status nginx-create-session-ticket-keys.service
systemctl status usr-local-nginx-conf-session_ticket_keys.mount
```
The session ticket keys are saved to a ramdisk mounted directory at `/usr/local/nginx/conf/session_ticket_keys`
```
df -hT /usr/local/nginx/conf/session_ticket_keys
Filesystem Type Size Used Avail Use% Mounted on
tmpfs tmpfs 16G 32K 16G 1% /usr/local/nginx/conf/session_ticket_keys
```
# Manual Usage:
`/usr/local/bin/manage-session-keys` usage:
```
Usage:
/usr/local/bin/manage-session-keys setup
/usr/local/bin/manage-session-keys create
/usr/local/bin/manage-session-keys rotate
/usr/local/bin/manage-session-keys uninstall
/usr/local/bin/manage-session-keys status
/usr/local/bin/manage-session-keys check-domain yourdomain.com
```
Add to each Centmin Mod Nginx Vhosts with HTTPS enabled i.e. `/usr/local/nginx/conf/conf.d/domain.com.ssl.conf` the following:
```
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/1.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/2.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/3.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/4.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/5.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/6.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/7.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/8.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/9.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/10.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/11.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/12.key;
```
Example excerpt
```
server {
listen 443 ssl http2;
server_name domain.com www.domain.com;
include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
include /usr/local/nginx/conf/ssl_include.conf;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/1.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/2.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/3.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/4.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/5.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/6.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/7.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/8.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/9.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/10.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/11.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/12.key;
```
Or instead of within each Nginx vhost, add globally to existing include file `/usr/local/nginx/conf/ssl_include.conf` via a new include file `/usr/local/nginx/conf/ssl-session-ticket-keys.conf`.
Existing `/usr/local/nginx/conf/ssl_include.conf`include file with added `/usr/local/nginx/conf/ssl-session-ticket-keys.conf` include file:
```
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
ssl_protocols TLSv1.2 TLSv1.3;
include /usr/local/nginx/conf/ssl-session-ticket-keys.conf;
```
In `/usr/local/nginx/conf/ssl-session-ticket-keys.conf`
```
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/1.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/2.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/3.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/4.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/5.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/6.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/7.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/8.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/9.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/10.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/11.key;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket_keys/12.key;
```
**Notes**
* `/usr/local/nginx/conf/ssl-session-ticket-keys.conf` is automatically created and populated if you run `/usr/local/bin/manage-session-keys setup` from [initial setup](#initial-setup) steps.
# Check Domain's Session Resumption
Where the `0000: ` line is first part of the session ticket key's hex bytes
```
/usr/local/bin/manage-session-keys check-domain domain.com
------------------------------------------
New-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 88EFBC7609076696D65C7ED3D7EE8658461928BA4D6FB95EB137DCD2D4595728
Master-Key: CA12DB554A6000A15D0632810EB606F0E5D0EE62CA40BCB1EC24ACBBA29FE2B00B03DA9282AC314C40AD1C6E40187B30
TLS session ticket lifetime hint: 600 (seconds)
0000: 3d 86 62 77 bd 61 a9 ac-f3 e5 09 a0 81 0d cf 2a =.bw.a.........*
Start Time: 1665605339
------------------------------------------
Reused-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 88EFBC7609076696D65C7ED3D7EE8658461928BA4D6FB95EB137DCD2D4595728
Master-Key: CA12DB554A6000A15D0632810EB606F0E5D0EE62CA40BCB1EC24ACBBA29FE2B00B03DA9282AC314C40AD1C6E40187B30
TLS session ticket lifetime hint: 600 (seconds)
0000: 3d 86 62 77 bd 61 a9 ac-f3 e5 09 a0 81 0d cf 2a =.bw.a.........*
Start Time: 1665605339
------------------------------------------
nginx process ids: 12375 12360 12357 12340 12291 12290 12289 12288 12287 12286
```
Checking multiple domains on the Centmin Mod server via comma separated domain list. These 2 domains are on different server IP addresses on same server.
```
/usr/local/bin/manage-session-keys check-domain domain1.com,domain2.com
------------------------------------------
checking: domain1.com TLS resumption
------------------------------------------
New-TLSv1-SSLv3-Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 7CBB3CB6A4BCEC1659C7EA960AF57724F01D1D3CBAD5EEEF6A553E800418D8F9
Master-Key: 28285EDD4AEB43DAA2BF71A6AFF9C9137C31084DF1FC2CCF0C5B2AD5064C7D2F783D1DF9E51F790D6744937303BB1563
TLS session ticket lifetime hint: 3600 (seconds)
0000: 0c 1d c9 e8 41 7c e9 fb-06 19 51 4a 24 8b fb 42 ....A|....QJ$..B
Start Time: 1665620404
------------------------------------------
Reused-TLSv1-SSLv3-Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 7CBB3CB6A4BCEC1659C7EA960AF57724F01D1D3CBAD5EEEF6A553E800418D8F9
Master-Key: 28285EDD4AEB43DAA2BF71A6AFF9C9137C31084DF1FC2CCF0C5B2AD5064C7D2F783D1DF9E51F790D6744937303BB1563
TLS session ticket lifetime hint: 3600 (seconds)
0000: 0c 1d c9 e8 41 7c e9 fb-06 19 51 4a 24 8b fb 42 ....A|....QJ$..B
Start Time: 1665620404
------------------------------------------
checking: domain2.com TLS resumption
------------------------------------------
New-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 3053542003A97977504D03B7E3CFA29FA8FEB172BA0C9CD0308B5E97737DEC76
Master-Key: 2548FA5D22966F3A678458FEF126577DC1E2B1D7C128BE8E263D3956238E74E8A3EC9375FA59E2D84A7323EBC04F6B79
TLS session ticket lifetime hint: 600 (seconds)
0000: c6 aa 2c 0e 14 89 9b 57-34 a3 20 d3 0d 0f 82 33 ..,....W4. ....3
Start Time: 1665620404
------------------------------------------
Reused-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 3053542003A97977504D03B7E3CFA29FA8FEB172BA0C9CD0308B5E97737DEC76
Master-Key: 2548FA5D22966F3A678458FEF126577DC1E2B1D7C128BE8E263D3956238E74E8A3EC9375FA59E2D84A7323EBC04F6B79
TLS session ticket lifetime hint: 600 (seconds)
0000: c6 aa 2c 0e 14 89 9b 57-34 a3 20 d3 0d 0f 82 33 ..,....W4. ....3
Start Time: 1665620404
------------------------------------------
nginx process ids: 49459 39206 39189 39172 39155 39122 39105 39104 39103 39102
```
# Check Nginx TLS Session Key Rotation
Check Centmin Mod Nginx's vhost session ticket key rotation where the `0000: ` line is first part of the session ticket key's hex bytes
```
# check
/usr/local/bin/manage-session-keys check-domain domain.com
------------------------------------------
New-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 88EFBC7609076696D65C7ED3D7EE8658461928BA4D6FB95EB137DCD2D4595728
Master-Key: CA12DB554A6000A15D0632810EB606F0E5D0EE62CA40BCB1EC24ACBBA29FE2B00B03DA9282AC314C40AD1C6E40187B30
TLS session ticket lifetime hint: 600 (seconds)
0000: 3d 86 62 77 bd 61 a9 ac-f3 e5 09 a0 81 0d cf 2a =.bw.a.........*
Start Time: 1665605339
------------------------------------------
Reused-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 88EFBC7609076696D65C7ED3D7EE8658461928BA4D6FB95EB137DCD2D4595728
Master-Key: CA12DB554A6000A15D0632810EB606F0E5D0EE62CA40BCB1EC24ACBBA29FE2B00B03DA9282AC314C40AD1C6E40187B30
TLS session ticket lifetime hint: 600 (seconds)
0000: 3d 86 62 77 bd 61 a9 ac-f3 e5 09 a0 81 0d cf 2a =.bw.a.........*
Start Time: 1665605339
------------------------------------------
nginx process ids: 12375 12360 12357 12340 12291 12290 12289 12288 12287 12286
```
```
# rotate session ticket keys
systemctl restart nginx-rotate-session-ticket-keys.timer
# recheck
/usr/local/bin/manage-session-keys check-domain domain.com
------------------------------------------
New-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 046839BE610F884D09869838CF17EC18B3B906E2FBE597CEB36F213F3AACAB2A
Master-Key: 1CB501C785333C599D9B4E8920D249E5DCB780A50471E46405F01AD0E84A726DC60890D1D24AEC6DB2A2139F420E7A73
TLS session ticket lifetime hint: 600 (seconds)
0000: c6 aa 2c 0e 14 89 9b 57-34 a3 20 d3 0d 0f 82 33 ..,....W4. ....3
Start Time: 1665608624
------------------------------------------
Reused-TLSv1-SSLv3-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 046839BE610F884D09869838CF17EC18B3B906E2FBE597CEB36F213F3AACAB2A
Master-Key: 1CB501C785333C599D9B4E8920D249E5DCB780A50471E46405F01AD0E84A726DC60890D1D24AEC6DB2A2139F420E7A73
TLS session ticket lifetime hint: 600 (seconds)
0000: c6 aa 2c 0e 14 89 9b 57-34 a3 20 d3 0d 0f 82 33 ..,....W4. ....3
Start Time: 1665608624
------------------------------------------
nginx process ids: 35751 35724 35717 35700 35667 35650 35649 35648 35647 18030
```