OCSP checks fail only on 1st site hit; OK afterwards ?
PGNet Dev
pgnet.dev at gmail.com
Wed Nov 9 22:00:25 UTC 2022
This 2012 post
Priming the OCSP cache in Nginx
https://unmitigatedrisk.com/?p=241
comments
"...
in Nginx 1.3.7, unfortunately architectural restrictions made it impractical to make it so that pre-fetching the OCSP response on server start-up so instead the first connection to the server primes the cache that is used for later connections.
This is a fine compromise but what if you really want the first connection to have the benefit too? Well there are two approaches you can take:
..."
where OCSP pre-fetching is a challenge that Cloudflare similarly took up in 2017 outside of its then-Nginx usage,
High-reliability OCSP stapling and why it matters
https://blog.cloudflare.com/high-reliability-ocsp-stapling/
Adding to
edit /etc/systemd/system/nginx.service
+ ExecStartPost=/bin/bash /etc/nginx/scripts/ocsp_prefetch.sh
where
cat /etc/nginx/scripts/ocsp_prefetch.sh
iterates over served domains,
echo QUIT | openssl s_client -connect ${_thisDom}:443 -servername ${_thisDom} -tls1_3 -tlsextdebug -status 2> /dev/null
Does the trick. After cold reboot, 1st hits to site(s) no longer fail to respond in-browser, or fail to provide OCSP response to openssl s_client query.
IS there an nginx prefetch mechanism available natively in current version ?
I found this 7 yr old enhancement request,
Fetch OCSP responses on startup, and store across restarts
https://trac.nginx.org/nginx/ticket/812
which afaict wasn't resolved.
More information about the nginx
mailing list