Learn about Centmin Mod LEMP Stack today
Become a Member

Beta Branch add NGINX_STAPLE_CACHE_OVERRIDE option in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Apr 15, 2020.

  1. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    12:31 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    add NGINX_STAPLE_CACHE_OVERRIDE option in 123.09beta01

    - Nginx by default will cache OCSP staple responses on a per nginx worker cache basis on subsequent requests after the initial request (not 1st request). Nginx will then cache this OCSP staple response for 1hr (3600 seconds) before refreshing the cache with a recheck. This means max time OCSP stapling response remains in Nginx cache is for 1hr or 3600 seconds. OCSP stapling speeds up HTTPS based web site performance as it saves the call back time to SSL certificate's CA providers OCSP server - see OCSP Stapling: How CloudFlare Just Made SSL 30% Faster
    - The new optional setting NGINX_STAPLE_CACHE_OVERRIDE='n' is disabled by default to adhere to Nginx's default OCSP stapling response cache time of 1hr (3600 seconds). However, if you set NGINX_STAPLE_CACHE_OVERRIDE='y' in persistent config file /etc/centminmod/custom_config.inc prior to compiling/updating Nginx via centmin.sh menu option 4, then you can override the Nginx default OCSP stapling cache refresh time of 1h (3600 seconds) to a value set by NGINX_STAPLE_CACHE_TTL='86400' which is set to default to increase Nginx OCSP stapling cache refresh time to 1 day (86400 seconds). You can override NGINX_STAPLE_CACHE_TTL='86400' by setting your own value in persistent config file /etc/centminmod/custom_config.inc prior to compiling/updating Nginx via centmin.sh menu option 4. The OCSP responses by SSL certificate CA provider are usually valid for 5-7 days, so refreshing every 24hrs seems like a safe compromise. Nginx will on refresh check OCSP stapling response cache's expiration date and if expired, will immediately purge the cache item and refresh / and get a new OCSP response from CA.
    - At end of centmin.sh menu option 4 nginx recompile/upgrades, there will be a list of saved logs of which one is nginx patch log at /root/centminlogs/patch_patchnginx_XXXX where XXXX is date timestamped which would so this patch message: patching nginx OCSP stapling response cache time set to: 86400

    Continue reading...

    123.09beta01 branch


     
  2. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    12:31 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @buik might like this :)

    when NGINX_STAPLE_CACHE_OVERRIDE='y' is set

    nginx recompiles/updates via centmin.sh menu option 4 will also at end of routine will show the line
    Code (Text):
    log files saved at /root/centminlogs
    -rw-r--r--  1 root root    0 Apr 15 05:27 patch_opensslpatches_150420-052707.log
    -rw-r--r--  1 root root   44 Apr 15 05:27 centminmod_opensslinstalltime_150420-052707.log
    -rw-r--r--  1 root root 4.9K Apr 15 05:28 patch_patchnginx_150420-052707.log
    -rw-r--r--  1 root root 9.6K Apr 15 05:28 nginx-configure-150420-052707.log
    -rw-r--r--  1 root root  43K Apr 15 05:29 nginx_autoconf.err.150420-052707.log
    -rw-r--r--  1 root root 2.3M Apr 15 05:29 centminmod_123.09beta01.b490_150420-052707_nginx_upgrade.log
    *************************************************
    * NGINX_STAPLE_CACHE_OVERRIDE='y' detected NGINX_STAPLE_CACHE_TTL='86400' set
    * nginx updated
    
     
  3. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    4:31 AM
    Nice catch! How did you get this cache TTL: 86400
    I can't find a reference or article regarding the TTL in question.
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    12:31 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nginx OCSP response cache refresh time is hardcoded in Nginx code at src/event/ngx_event_openssl_stapling.c as 3600 seconds
    Code (Text):
    grep -C10 'staple->refresh = ngx_max' "/svr-setup/nginx-1.17.10/src/event/ngx_event_openssl_stapling.c"
        staple->staple = response;
        staple->valid = valid;
        /*
         * refresh before the response expires,
         * but not earlier than in 5 minutes, and at least in an hour
         */
        staple->loading = 0;
        staple->refresh = ngx_max(ngx_min(valid - 300, now + 3600), now + 300);
        ngx_ssl_ocsp_done(ctx);
        return;
    error:
        staple->loading = 0;
        staple->refresh = now + 300;
        if (id) {
    

    NGINX_STAPLE_CACHE_TTL value overrides that default 3600 seconds in src/event/ngx_event_openssl_stapling.c :)