Welcome! Log In Create A New Profile

Advanced

OCSP stapling via web proxy

Posted by Sapherz 
OCSP stapling via web proxy
September 03, 2014 12:58AM
Hi,

I'm trying to set up OCSP stapling but our firewall currently does not allow outbound port 80 unless its via a squid proxy server. OCSP stapling requests are ignoring the OS (Centos) proxy setting. Is there a way to tell NGINX to get its OCSP things via the proxy, or is the only way out to open up the firewall to the OCSP servers?

NGINX 1.6.0
Centos 6.4

Thanks.
Re: OCSP stapling via web proxy
October 28, 2014 07:35PM
Sapherz Wrote:
-------------------------------------------------------
> Hi,
>
> I'm trying to set up OCSP stapling but our firewall currently does not
> allow outbound port 80 unless its via a squid proxy server. OCSP
> stapling requests are ignoring the OS (Centos) proxy setting. Is there
> a way to tell NGINX to get its OCSP things via the proxy, or is the
> only way out to open up the firewall to the OCSP servers?
>
> NGINX 1.6.0
> Centos 6.4
>
> Thanks.

This would be a very interesting feature.
I wouldn't have any problem to open my firewall to some dedicated IP addresses of the OCSP server(s), but startssl uses akamai CDN for ocsp.startssl.com, which means that i have to open any http traffic from my reverse proxy to outside. This is strictly a nogo on production servers.

Kind regards,
Dan
Re: OCSP stapling via web proxy
April 30, 2015 10:43AM
same here. does anybody know how nginx creates the outgoing connections?
I've checked the source and didn't find how (probably because I'm not a C developer.. :-) )
https://github.com/nginx/nginx/blob/nginx-1.6/src/event/ngx_event_openssl_stapling.c

respecting the unix environment proxy would be great. (as curl does)

error message (for google user):

2015/04/30 16:29:29 [error] 23051#0: recv() failed (111: Connection refused) while requesting certificate status, responder: gv.symcd.com
2015/04/30 16:29:29 [error] 23051#0: OCSP responder prematurely closed connection while requesting certificate status, responder: gv.symcd.com
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 159
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready