ocsp-stapling through http proxy?

rainer at ultra-secure.de rainer at ultra-secure.de
Thu Oct 13 14:45:01 UTC 2016


Am 2016-10-13 16:13, schrieb Reinis Rozitis:
>> You mean a transparent proxy?
>> In our case, this is not possible.
> 
> It's not really transparent.
> 
> As far as I understand you have a problem with opening outgoing
> traffic to _random_ destination but you are fine if such traffic is
> pushed through some proxy server (which in general means that the
> proxy server will anyways have outgoing to "everywhere").


Yes, but the OCSP URL is known and doesn't change.
And the proxy has a very limited set of URLs it can access.
As such, this is much better than opening up "*".


> So while there is no http proxy support for such things in nginx  ( in
> Apache as a workarround you can override the responders url
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl
> ) what you could do is just force the ocsp responders host to resolve
> to your proxy (no other traffic has to be altered) which then forwards
> the request to the original responder.

I will have to try this.

> The proxy could be aswell another nginx instance (the problem is just
> that nginx (besides the commercial nginx+) doesn't resolve (without
> some workarrounds) backend hostnames on the fly but only on startup).
> 
> 
> 
> But in the end do you really need it?
> 
> Even in the "cloud" the IPs shouldn't change too often (if so maybe
> it's worth to look for another SSL provider?) also there is no failure
> if suddenly the stapling doesn't happen serverside, just monitor it
> and when the resolution changes (or nginx starts to complain) alter
> your firewall rules.

I have a lot of these proxies.
Also TTLs on these records are notoriously short and I have no idea what 
scheme our CA has chosen for running these boxes.
As I know a bit about the CA software they use, my guess would also be 
that these servers are going to be relatively stable.

Changing to a different CA is not an option, either - and not my call 
anyway...

> p.s. I haven't done the "proxy part" but at one time there were
> problems with Godaddys European ocsp responders so I did the DNS
> thingy and forced the ocsp.godaddy.com to be resolved to US ips and it
> worked fine.

I generally try to avoid hosts-file entries. They are a source of hassle 
and confusion.
The only exception is when you need to point a server to itself and the 
public IP the name resolves to is different (because: NAT) than the IP 
the server is running on. Then I do create 127.0.0.1 entries in the 
hosts-file.



Thanks for your input.



Rainer



More information about the nginx mailing list