roles/nginx: enable nginx ssl_session_tickets

This has apparently been supported since nginx 1.23.2 and is safe to use the default (on) now. See: https://github.com/mozilla/server-side-tls/issues/284
2025-03-29 22:35:56 +03:00 · 2025-03-29 22:35:56 +03:00 · d8d9790d21
commit d8d9790d21
parent 9a500ebc0d
1 changed files with 0 additions and 9 deletions
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -39,15 +39,6 @@
    resolver {{ nginx_ssl_stapling_resolver }};
    {% endif %} {# end: use_letsencrypt #}

-    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
-    # when a restart is performed the previous key is lost, which resets all previous
-    # sessions. The fix for this is to setup a manual rotation mechanism:
-    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
-    #
-    # Note that you'll have to define and rotate the keys securely by yourself. In absence
-    # of such infrastructure, consider turning off session tickets:
-    ssl_session_tickets off;
-
    {% if enable_hsts == true %}
    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store