ocsp-stapling through http proxy?
r at roze.lv
Thu Oct 13 14:13:20 UTC 2016
> You mean a transparent proxy?
> In our case, this is not possible.
It's not really transparent.
As far as I understand you have a problem with opening outgoing traffic to
_random_ destination but you are fine if such traffic is pushed through some
proxy server (which in general means that the proxy server will anyways have
outgoing to "everywhere").
So while there is no http proxy support for such things in nginx ( in
Apache as a workarround you can override the responders url
what you could do is just force the ocsp responders host to resolve to your
proxy (no other traffic has to be altered) which then forwards the request
to the original responder.
The proxy could be aswell another nginx instance (the problem is just that
nginx (besides the commercial nginx+) doesn't resolve (without some
workarrounds) backend hostnames on the fly but only on startup).
But in the end do you really need it?
Even in the "cloud" the IPs shouldn't change too often (if so maybe it's
worth to look for another SSL provider?) also there is no failure if
suddenly the stapling doesn't happen serverside, just monitor it and when
the resolution changes (or nginx starts to complain) alter your firewall
p.s. I haven't done the "proxy part" but at one time there were problems
with Godaddys European ocsp responders so I did the DNS thingy and forced
the ocsp.godaddy.com to be resolved to US ips and it worked fine.
More information about the nginx