0

I want to use nginx as a caching proxy in front of an OCSP responder. 'An OCSP request using the POST method is constructed as follows: The Content-Type header has the value "application/ocsp-request" while the body of the message is the binary value of the DER encoding of the OCSPRequest.' (from RFC2560)

Hence, I configured nginx as follows:

proxy_cache_path  /tmp/nginx/cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
server {
        # Make site accessible from http://localhost/
        server_name localhost;
        location / {
                proxy_pass  http://213.154.225.237:80; #ocsp.cacert.org
                proxy_cache my-cache;
                proxy_cache_methods    POST;
                proxy_cache_valid  200 302  60m;
                proxy_cache_valid  404      1m;
                proxy_cache_key        "$uri$request_body";
                expires off;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
        }
)

I can access the OCSP responder through nginx and responses are received as expected - no issue. The problem is that nginx doesn't cache the responses. Nonces are not being sent as part of the request. Using Wireshark I verified that all my requests are identical (on the HTTP layer). How to configure nginx that it caches the responses?

Note, I use the following command for testing:

openssl ocsp -issuer cacert.crt -no_nonce -CAfile CAbundle.crt -url http://localhost/ -serial <SERIAL>
imreal
  • 10,178
  • 2
  • 32
  • 48
jans
  • 1,768
  • 3
  • 17
  • 22

3 Answers3

1

There is a lot more to caching OCSP responses than just caching the DER they are made of. Look into the lightweight OCSP profile and make sure that your responder does include the necessary headers into the response.

I would recommend that you use a specially build OCSP proxy cache, there are many out there. For example Axway's Validation Authority Repeater is a good choice.

user2395612
  • 11
  • 1
1

In the meanwhile I got the answer at the mailinglist which solved my problem:

You configuration doesn't contain proxy_cache_valid (see http://nginx.org/r/proxy_cache_valid), and in the same time via proxy_ignore_headers it ignores all headers which may be used to set response validity based on response headers. That is, no responses will be cached with the configuration above.

You probably want to add something like

proxy_cache_valid 200 1d;

to your configuration.

jans
  • 1,768
  • 3
  • 17
  • 22
0

My complete configuration example(works with openca-ocsp):

nginx.conf:

proxy_cache_path /var/cache/nginx/ocsp levels=1:2 min_free=1024M keys_zone=ocsp:10m;

conf.d/ocsp.conf

server {
    listen 80;
    proxy_cache ocsp;
    proxy_cache_valid 200 404 2m;
    proxy_cache_min_uses 1;
    proxy_ignore_headers    X-Accel-Expires Expires Cache-Control;
    proxy_cache_methods  POST;
    proxy_cache_key "$request_uri|$request_body";
    add_header X-GG-Cache-Status $upstream_cache_status;
    location = /ocsp {
        # Allow only POST
        limit_except POST {
         deny all;
        }
        proxy_pass http://ocspd:2560/;
    }
}
Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Sergey
  • 1