You mean a transparent proxy?
In our case, this is not possible.

It's not really transparent.

As far as I understand you have a problem with opening outgoing traffic to _random_ destination but you are fine if such traffic is pushed through some proxy server (which in general means that the proxy server will anyways have outgoing to "everywhere").

So while there is no http proxy support for such things in nginx ( in Apache as a workarround you can override the responders url ) what you could do is just force the ocsp responders host to resolve to your proxy (no other traffic has to be altered) which then forwards the request to the original responder.

The proxy could be aswell another nginx instance (the problem is just that nginx (besides the commercial nginx+) doesn't resolve (without some workarrounds) backend hostnames on the fly but only on startup).

But in the end do you really need it?

Even in the "cloud" the IPs shouldn't change too often (if so maybe it's worth to look for another SSL provider?) also there is no failure if suddenly the stapling doesn't happen serverside, just monitor it and when the resolution changes (or nginx starts to complain) alter your firewall rules.

p.s. I haven't done the "proxy part" but at one time there were problems with Godaddys European ocsp responders so I did the DNS thingy and forced the to be resolved to US ips and it worked fine.


nginx mailing list

Reply via email to