ocsp-stapling through http proxy?

Reinis Rozitis r at roze.lv
Thu Oct 13 14:13:20 UTC 2016

> You mean a transparent proxy?
> In our case, this is not possible.

It's not really transparent.

As far as I understand you have a problem with opening outgoing traffic to 
_random_ destination but you are fine if such traffic is pushed through some 
proxy server (which in general means that the proxy server will anyways have 
outgoing to "everywhere").

So while there is no http proxy support for such things in nginx  ( in 
Apache as a workarround you can override the responders url 
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl ) 
what you could do is just force the ocsp responders host to resolve to your 
proxy (no other traffic has to be altered) which then forwards the request 
to the original responder.

The proxy could be aswell another nginx instance (the problem is just that 
nginx (besides the commercial nginx+) doesn't resolve (without some 
workarrounds) backend hostnames on the fly but only on startup).

But in the end do you really need it?

Even in the "cloud" the IPs shouldn't change too often (if so maybe it's 
worth to look for another SSL provider?) also there is no failure if 
suddenly the stapling doesn't happen serverside, just monitor it and when 
the resolution changes (or nginx starts to complain) alter your firewall 

p.s. I haven't done the "proxy part" but at one time there were problems 
with Godaddys European ocsp responders so I did the DNS thingy and forced 
the ocsp.godaddy.com to be resolved to US ips and it worked fine.


More information about the nginx mailing list