Welcome! Log In Create A New Profile

Advanced

Re: ocsp-stapling through http proxy?

Anonymous User
October 13, 2016 10:44AM
Am 2016-10-13 16:13, schrieb Reinis Rozitis:
>> You mean a transparent proxy?
>> In our case, this is not possible.
>
> It's not really transparent.
>
> As far as I understand you have a problem with opening outgoing
> traffic to _random_ destination but you are fine if such traffic is
> pushed through some proxy server (which in general means that the
> proxy server will anyways have outgoing to "everywhere").


Yes, but the OCSP URL is known and doesn't change.
And the proxy has a very limited set of URLs it can access.
As such, this is much better than opening up "*".


> So while there is no http proxy support for such things in nginx ( in
> Apache as a workarround you can override the responders url
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl
> ) what you could do is just force the ocsp responders host to resolve
> to your proxy (no other traffic has to be altered) which then forwards
> the request to the original responder.

I will have to try this.

> The proxy could be aswell another nginx instance (the problem is just
> that nginx (besides the commercial nginx+) doesn't resolve (without
> some workarrounds) backend hostnames on the fly but only on startup).
>
>
>
> But in the end do you really need it?
>
> Even in the "cloud" the IPs shouldn't change too often (if so maybe
> it's worth to look for another SSL provider?) also there is no failure
> if suddenly the stapling doesn't happen serverside, just monitor it
> and when the resolution changes (or nginx starts to complain) alter
> your firewall rules.

I have a lot of these proxies.
Also TTLs on these records are notoriously short and I have no idea what
scheme our CA has chosen for running these boxes.
As I know a bit about the CA software they use, my guess would also be
that these servers are going to be relatively stable.

Changing to a different CA is not an option, either - and not my call
anyway...

> p.s. I haven't done the "proxy part" but at one time there were
> problems with Godaddys European ocsp responders so I did the DNS
> thingy and forced the ocsp.godaddy.com to be resolved to US ips and it
> worked fine.

I generally try to avoid hosts-file entries. They are a source of hassle
and confusion.
The only exception is when you need to point a server to itself and the
public IP the name resolves to is different (because: NAT) than the IP
the server is running on. Then I do create 127.0.0.1 entries in the
hosts-file.



Thanks for your input.



Rainer

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

ocsp-stapling through http proxy?

Anonymous User October 13, 2016 06:26AM

RE: ocsp-stapling through http proxy?

Reinis Rozitis October 13, 2016 07:18AM

Re: ocsp-stapling through http proxy?

Anonymous User October 13, 2016 08:24AM

Re: ocsp-stapling through http proxy?

Reinis Rozitis October 13, 2016 10:14AM

Re: ocsp-stapling through http proxy?

Anonymous User October 13, 2016 10:44AM

Re: ocsp-stapling through http proxy?

Maxim Dounin October 13, 2016 09:36AM

Re: ocsp-stapling through http proxy?

Reinis Rozitis October 13, 2016 10:16AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 314
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready