Hi, i'm configuring a NGINX server with Docker, and i want to validate the SSL Certificate from UpStream Servers, but unfortunately NGINX can't validate the URL or the OCSP inside of the certificate. So i need to provide the CRL mannually. I develope the following script to update the CRL inside of NGINX, there is a better way without reload nginx?
#!/bin/bash
curl -o /home/spacelabs/edger/crl.crl http://crl.certify.spacelabsws.pt/CertEnroll/SpaceLabs%20Self%20Certificates%20Service%20CA.crl
openssl crl -in /home/spacelabs/edger/crl.crl -inform DER -out /home/spacelabs/edger/crl.pem
docker cp /home/spacelabs/edger/crl.pem edger_reversesl_1:/etc/nginx/certs/crl.pem
docker exec edger_reversesl_1 nginx -s reload
server {
listen 443 ssl;
server_name sage.org;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass "https://sage.org:8443/";
proxy_ssl_trusted_certificate /etc/nginx/certs/ca-origin.pem;
proxy_ssl_verify on;
proxy_ssl_crl /etc/nginx/certs/crl.pem;
}
ssl_certificate /etc/nginx/certs/sage.pem;
ssl_certificate_key /etc/nginx/certs/sage.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/ca-edge.pem;
resolver 192.168.1.13;
}
Edited 1 time(s). Last edit at 08/30/2023 07:27AM by dev.tomas2003.