ocsp-stapling through http proxy?

Maxim Dounin mdounin at mdounin.ru
Thu Oct 13 13:34:14 UTC 2016


On Thu, Oct 13, 2016 at 12:25:44PM +0200, rainer at ultra-secure.de wrote:

> Hi,
> we have been informed by our CA that they will be moving their OCSP-servers
> to "the cloud" - it was a fixed set of IPs before.
> These fixed sets could relatively easily be entered as firewall rules (and
> hosts-file entries, should DNS-resolution be unavailable).
> Of course, they could as easily be targeted by Script-Kiddies and
> Wannabe-Hackers as targets for a DDoS.
> As such, I would need to allow outbound http-connections to the whole
> internet, which is kind of exactly the opposite of what I want to do.
> And that's ignoring for a moment the necessity to allow outbound DNS...
> It would be cool if nginx would be able to do the stapling through a
> http-proxy.

OCSP stapling allows you to:

- provide your own file to staple using ssl_stapling_file 
  directive.  It doesn't matter for nginx how the file was 
  obtained.  You can even update it by hand.  It might be 
  relatively straightforward to configure automatic updating 
  process though.  See http://nginx.org/r/ssl_stapling_file for details.

- use an explicitly configured OCSP responder with the 
  ssl_stapling_responder directive.  It allows to configure your 
  own OCSP responder at a fixed address, and then proxy requests to 
  the real responder.  See http://nginx.org/r/ssl_stapling_responder 
  for details.

Maxim Dounin

More information about the nginx mailing list