Want more timely Centmin Mod News Updates?
Become a Member

Master Branch add NGINX_STAPLE_CACHE_OVERRIDE option in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Apr 19, 2020.

  1. eva2000

    eva2000 Administrator Staff Member

    44,444
    10,148
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,704
    Local Time:
    6:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    add NGINX_STAPLE_CACHE_OVERRIDE option in 123.09beta01

    - Nginx by default will cache OCSP staple reponses on a per nginx worker cache basis on subsequent requests after the initial request (not 1st request). Nginx will then cache this OCSP staple response for 1hr (3600 seconds) before refreshing the cache with a recheck. This means max time OCSP stapling response remains in Nginx cache is for 1hr or 3600 seconds. OCSP stapling speeds up HTTPS based web site performance as it saves the call back time to SSL certificate's CA providers OCSP server - see https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
    - The new optional setting NGINX_STAPLE_CACHE_OVERRIDE='n' is disabled by default to adhere to Nginx's default OCSP stapling response cache time of 1hr (3600 seconds). However, if you set NGINX_STAPLE_CACHE_OVERRIDE='y' in persistent config file /etc/centminmod/custom_config.inc prior to compiling/updating Nginx via centmin.sh menu option 4, then you can override the Nginx default OCSP stapling cache refresh time of 1h (3600 seconds) to a value set by NGINX_STAPLE_CACHE_TTL='86400' which is set to default to increase Nginx OCSP stapling cache refresh time to 1 day (86400 seconds). You can override NGINX_STAPLE_CACHE_TTL='86400' by setting your own value in persistent config file /etc/centminmod/custom_config.inc prior to compiling/updating Nginx via centmin.sh menu option 4. The OCSP responses by SSL certificate CA provider are usually valid for 5-7 days, so refreshing every 24hrs seems like a safe compromise. Nginx will on refresh check OCSP stapling response cache's expiration date and if expired, will immediately purge the cache item and refresh / and get a new OCSP response from CA.
    - At end of centmin.sh menu option 4 nginx recompile/upgrades, there will be a list of saved logs of which one is nginx patch log at /root/centminlogs/patch_patchnginx_XXXX where XXXX is date timestamped which would so this patch message: patching nginx OCSP stapling response cache time set to: 86400

    Continue reading...

    Centmin Mod Github Master branch

    Master branch is where most recent commits are made as at May 24, 2015.