ocsp-stapling through http proxy?
rainer at ultra-secure.de
rainer at ultra-secure.de
Thu Oct 13 10:25:44 UTC 2016
Hi,
we have been informed by our CA that they will be moving their
OCSP-servers to "the cloud" - it was a fixed set of IPs before.
These fixed sets could relatively easily be entered as firewall rules
(and hosts-file entries, should DNS-resolution be unavailable).
Of course, they could as easily be targeted by Script-Kiddies and
Wannabe-Hackers as targets for a DDoS.
As such, I would need to allow outbound http-connections to the whole
internet, which is kind of exactly the opposite of what I want to do.
And that's ignoring for a moment the necessity to allow outbound DNS...
It would be cool if nginx would be able to do the stapling through a
http-proxy.
Rainer
More information about the nginx
mailing list