Skip to content

huo-ju/ocsp-proxy

master
Switch branches/tags
Code
This branch is 1 commit ahead of dlecorfec:master.
Contribute

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Proxy for OCSP stapling

OCSP stapling means that the SSL server (rather than client) has to make requests to CA servers for revoked certificates lists, making the check faster and more reliable for clients.

If:

  • you're not allowed to connect from your SSL servers to the CA server because of a firewall,
  • and your SSL server allows you to force the URL of the OCSP server
  • but not of a HTTP proxy

then this tool may help you.

Usage

HTTP_PROXY=http://proxy:8888 ./ocsp-proxy -ocsphost ocspserver.com -http :8080

ocsphost=ocspserver.com http=:8080 ./ocsp-proxy

HTTP_PROXY=http://proxy:8888 ocsphost=ocspserver.com http=:8080 ./ocsp-proxy

Il will listen on port 8080 for HTTP request and will forward the request to the ocsphost, using the generic http proxy supplied the Go stdlib way.

In your nginx OCSP stapling configuration, add the line:

ssl_stapling_responder http://127.0.0.1:8080;

(assuming the ocsp-proxy is running on 127.0.0.1 port 8080)

To find out your ocsphost, as far as I know:

openssl x509 -in certificate.crt -noout -text | grep OCSP

(use the domain without scheme)

About

Use this if your SSL web server (like nginx) is behind a firewall and has to use a http proxy to reach OCSP servers in order to implement OCSP Stapling

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 87.9%
  • Dockerfile 12.1%