This 2012 post

Priming the OCSP cache in Nginx
https://unmitigatedrisk.com/?p=241

comments

"...
in Nginx 1.3.7, unfortunately architectural restrictions made it impractical to make it so that pre-fetching the OCSP response on server start-up so instead the first connection to the server primes the cache that is used for later connections.

This is a fine compromise but what if you really want the first connection to have the benefit too? Well there are two approaches you can take:
..."

where OCSP pre-fetching is a challenge that Cloudflare similarly took up in 2017 outside of its then-Nginx usage,

High-reliability OCSP stapling and why it matters
https://blog.cloudflare.com/high-reliability-ocsp-stapling/

Adding to

edit /etc/systemd/system/nginx.service

+ ExecStartPost=/bin/bash /etc/nginx/scripts/ocsp_prefetch.sh

where

cat /etc/nginx/scripts/ocsp_prefetch.sh

iterates over served domains,

echo QUIT | openssl s_client -connect ${_thisDom}:443 -servername ${_thisDom} -tls1_3 -tlsextdebug -status 2> /dev/null

Does the trick. After cold reboot, 1st hits to site(s) no longer fail to respond in-browser, or fail to provide OCSP response to openssl s_client query.

IS there an nginx prefetch mechanism available natively in current version ?

I found this 7 yr old enhancement request,

Fetch OCSP responses on startup, and store across restarts
https://trac.nginx.org/nginx/ticket/812

which afaict wasn't resolved.
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org