0

I'd like to filter/reroute OCSP traffic from regular HTTP traffic to a different back-end. Reviewing Network Analyses of OCSP protocol, if the OCSP request is via POST, I can filter on Content-Type: application/ocsp-request. The tricky part, is if the OCSP request is via GET, where the OCSP request is DER->Base64 encoded->urlencoded and appended to the uri. While the PDF does state, you can create a regex on unique values, if you know what's in the request. It becomes cumbersome if you have a lot different certificates.

There are few reasons why I like to do it this way:

  1. Currently, my OCSP uri point to http://ocsp.example.net:6139. On some networks, that port can be blocked.
  2. I like to have both CRL and OCSP uri pointing to the same location.

Regarding GET requests, the only solution I could muster is to let it pass to the back-end, if it's a 404, proxy it again to my OCSPd daemon. Although, most examples I've seen in the wild suggest setting up a dedicate unique domain for OCSP request which defeats point 2.

What anyone would suggests would be the better solution to solving this problem?

server {
    listen 0.0.0.0:80;
    server_name ocsp.example.net;
   
    
    location /.well-known {
        autoindex on;
    }
    
    
    location / {
        error_page 418 = @ocspd;
        
        if ($content_type == "application/ocsp-request") {
            return 418;
        }
        
        proxy_pass https://192.168.101.30:443;
        include proxy_params;
    }

    location @ocspd {
        proxy_pass https://192.168.101.19:6139;
        include proxy_params;
    }
}
bugzbunny
  • 21
  • 5
  • *"I'd like to filter/reroute OCSP traffic from regular HTTP traffic to a different back-end."* - this looks like an [XY problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) to me. Could you please explain the rationale (i.e. the X) behind this requirement? Maybe there is a better way to solve the actual problem. – Steffen Ullrich Mar 12 '21 at 11:05
  • I'm going to do my best to answer your question. If my SSL certificate has OCSP - URI:http://ocsp.example.net and URI:http://ocsp.example.net/ca.crl. The problem here is that Nginx will have problems answering OCSP request. OCSP requests needs to be diverted to another server that can handle does request? Especially two point 2, _I like to have both CRL and OCSP uri pointing to the same location_. – bugzbunny Mar 12 '21 at 22:21
  • CRL and OCSP are different things, i.e. different scope (multiple certificates vs. single certificate) and different data formats. I don't understand why they should be served from the same URL. And why not just use a different path for CRL, OCSP and all other data so that they clearly can be distinguished and routed internally based on the path instead of some regex. – Steffen Ullrich Mar 13 '21 at 06:34
  • "And why not just use a different path for CRL, OCSP and all other data", no reason in particular and I'll add this as an answer. What I wanted to avoid was, 'ocsp.example.net' and 'crl.example.net'. However, 'ocsp.example.net/ocsp' or 'ocsp.example.net/crl' is fine. – bugzbunny Mar 13 '21 at 08:54

0 Answers0