Go API Documentation

github.com/caddyserver/caddy/v2/modules/caddytls/distributedstek

Package distributedstek provides TLS session ticket ephemeral keys (STEKs) in a distributed fashion by utilizing configured storage for locking and key sharing. This allows a cluster of machines to optimally resume TLS sessions in a load-balanced environment without any hassle. This is similar to what Twitter does, but without needing to rely on SSH, as it is built into the web server this way: https://blog.twitter.com/engineering/en_us/a/2013/forward-secrecy-at-twitter.html

Package

Files: 1. Third party imports: 0. Imports from organisation: 1. Tests: 0. Benchmarks: 0.

Constants

Vars

Interface guard

Types

Provider

Provider implements a distributed STEK provider. This module will obtain STEKs from a storage module instead of generating STEKs internally. This allows STEKs to be coordinated, improving TLS session resumption in a cluster.

Field name Field type Comment
Storage

json.RawMessage

The storage module wherein to store and obtain session ticket keys. If unset, Caddy's default/global-configured storage module will be used.
storage

certmagic.Storage

 No comment on field.
stekConfig

*caddytls.SessionTicketService

 No comment on field.
timer

*time.Timer

 No comment on field.
ctx

caddy.Context

 No comment on field.

distributedSTEK

This type doesn't have documentation.

Field name Field type Comment
Keys

[][]byte

 No comment on field.
LastRotation

time.Time

 No comment on field.

Functions

func (*Provider) Initialize

Initialize sets the configuration for s and returns the starting keys.

Uses: time.NewTimer, time.Until.

func (*Provider) Next

Next returns a channel which transmits the latest session ticket keys.

func (*Provider) Provision

Provision provisions s.

Uses: fmt.Errorf.

func (Provider) CaddyModule

CaddyModule returns the Caddy module information.

Private functions

func init

func getSTEK

getSTEK locks and loads the current STEK from storage. If none currently exists, a new STEK is created and persisted. If the current STEK is outdated (NextRotation time is in the past), then it is rotated and persisted. The resulting STEK is returned.

References: errors.Is, fmt.Errorf, fs.ErrNotExist, time.Now.

func loadSTEK

References: bytes.NewReader, fmt.Errorf, gob.NewDecoder.

func rotate

rotate rotates keys on a regular basis, sending each updated set of keys down keysChan, until doneChan is closed.

References: debug.Stack, log.Printf, time.Until.

func rotateKeys

rotateKeys rotates the keys of oldSTEK and returns the new distributedSTEK with updated keys and timestamps. It stores the returned STEK in storage, so this function must only be called in a storage-provided lock.

References: time.Duration, time.Now.

func storeSTEK

References: bytes.Buffer, fmt.Errorf, gob.NewEncoder.