distributedstek

Documentation

Overview

Package distributedstek provides TLS session ticket ephemeral keys (STEKs) in a distributed fashion by utilizing configured storage for locking and key sharing. This allows a cluster of machines to optimally resume TLS sessions in a load-balanced environment without any hassle. This is similar to what Twitter does, but without needing to rely on SSH, as it is built into the web server this way: https://blog.twitter.com/engineering/en_us/a/2013/forward-secrecy-at-twitter.html

Index

• type Provider
  • func (Provider) CaddyModule() caddy.ModuleInfo
  • func (s *Provider) Initialize(config *caddytls.SessionTicketService) ([][32]byte, error)
  • func (s *Provider) Next(doneChan <-chan struct{}) <-chan [][32]byte
  • func (s *Provider) Provision(ctx caddy.Context) error

Types

type Provider

type Provider struct {
	// The storage module wherein to store and obtain session
	// ticket keys. If unset, Caddy's default/global-configured
	// storage module will be used.
	Storage json.RawMessage `json:"storage,omitempty" caddy:"namespace=caddy.storage inline_key=module"`
	// contains filtered or unexported fields
}

Provider implements a distributed STEK provider. This module will obtain STEKs from a storage module instead of generating STEKs internally. This allows STEKs to be coordinated, improving TLS session resumption in a cluster.

func (Provider) CaddyModule

func (Provider) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (*Provider) Initialize

func (s *Provider) Initialize(config *caddytls.SessionTicketService) ([][32]byte, error)

Initialize sets the configuration for s and returns the starting keys.

func (*Provider) Next

func (s *Provider) Next(doneChan <-chan struct{}) <-chan [][32]byte

Next returns a channel which transmits the latest session ticket keys.

func (*Provider) Provision

func (s *Provider) Provision(ctx caddy.Context) error

Provision provisions s.