I'd like to utilize OCSP stapling for SSL certs on my Linux webservers running Apache httpd and Nginx. Both Nginx and Apache however per default do want to directly access the OCSP responder.
However, my webservers are located behind a loadbalancer using direct server return/direct routing, so my hosts have a public IP address configured and do receive and answer incoming traffic on those public IPs, but my servers can't use those public IPs for new, originating connections. The servers are running on a private (non-public IP space) network and don't have access to the public Internet via NAT, but via a HTTP proxy.
From a security perspective, this is perfectly fine. I don't want to introduce NAT on the network just for the sake of OCSP stapling and I'm perfectly fine to use a HTTP Proxy for OCSP requests (who are HTTP anyway).
The "best" solution for me simply where to configure Apache/Nginx to use the HTTP proxy for accessing OCSP responders – but as far as I see, there's no option to do so.
The closest options I came across are to
- use Apache's SSLStaplingForceURL (which does simply override the x509 AIA endpoint) with a reverse proxy, who in turn does have public internet access. The reverse proxy's job is to rewrite the host-header and port with the actual OCSP responder and connect to that one.
- use a local iptables rule to NAT locally originating traffic aimed at the OCSP responder to my local HTTP proxy. To fight a possibly changing IP address of an OCSP responder, I'll also add a static (fake) entry in /etc/hosts.
All those options don't look very fine to me and do have severe drawbacks (netfilter-NAT is based on IP; whenever the destination IP of the ocsp responder changes, I'll have to adjust my rules)- did I miss any more reasonable alternatives or the "right" config options in either Apache or Nginx?
Best Answer
You can try this: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_file