Am 2016-10-13 16:13, schrieb Reinis Rozitis:
You mean a transparent proxy?
In our case, this is not possible.
It's not really transparent.
As far as I understand you have a problem with opening outgoing
traffic to _random_ destination but you are fine if such traffic is
pushed through some proxy server (which in general means that the
proxy server will anyways have outgoing to "everywhere").
Yes, but the OCSP URL is known and doesn't change.
And the proxy has a very limited set of URLs it can access.
As such, this is much better than opening up "*".
So while there is no http proxy support for such things in nginx ( in
Apache as a workarround you can override the responders url
) what you could do is just force the ocsp responders host to resolve
to your proxy (no other traffic has to be altered) which then forwards
the request to the original responder.
I will have to try this.
The proxy could be aswell another nginx instance (the problem is just
that nginx (besides the commercial nginx+) doesn't resolve (without
some workarrounds) backend hostnames on the fly but only on startup).
But in the end do you really need it?
Even in the "cloud" the IPs shouldn't change too often (if so maybe
it's worth to look for another SSL provider?) also there is no failure
if suddenly the stapling doesn't happen serverside, just monitor it
and when the resolution changes (or nginx starts to complain) alter
your firewall rules.
I have a lot of these proxies.
Also TTLs on these records are notoriously short and I have no idea what
scheme our CA has chosen for running these boxes.
As I know a bit about the CA software they use, my guess would also be
that these servers are going to be relatively stable.
Changing to a different CA is not an option, either - and not my call
p.s. I haven't done the "proxy part" but at one time there were
problems with Godaddys European ocsp responders so I did the DNS
thingy and forced the ocsp.godaddy.com to be resolved to US ips and it
I generally try to avoid hosts-file entries. They are a source of hassle
The only exception is when you need to point a server to itself and the
public IP the name resolves to is different (because: NAT) than the IP
the server is running on. Then I do create 127.0.0.1 entries in the
Thanks for your input.
nginx mailing list