My apache error log shows:
AH01972: could not resolve address of OCSP responder ocsp.usertrust.com
Main reason is my server's nftables blocks any requests to the Internet.
In my opinion web server not should to initiate any connections to the Internet to be as security as possible. But OCSP stapling requires DNS connection and http(s) traffic from server to my CA's servers.
Is it possible to allow only OSCP requests from server instead all http(s) via nftables?
I examined this communication and I found OCSP request is HTTP POST with "Content-Type: application/ocsp-request". Can I use this to filter OSCP request connections?
