Sapherz Wrote:
-------------------------------------------------------
> Hi,
>
> I'm trying to set up OCSP stapling but our firewall currently does not
> allow outbound port 80 unless its via a squid proxy server. OCSP
> stapling requests are ignoring the OS (Centos) proxy setting. Is there
> a way to tell NGINX to get its OCSP things via the proxy, or is the
> only way out to open up the firewall to the OCSP servers?
>
> NGINX 1.6.0
> Centos 6.4
>
> Thanks.
This would be a very interesting feature.
I wouldn't have any problem to open my firewall to some dedicated IP addresses of the OCSP server(s), but startssl uses akamai CDN for ocsp.startssl.com, which means that i have to open any http traffic from my reverse proxy to outside. This is strictly a nogo on production servers.
Kind regards,
Dan
-------------------------------------------------------
> Hi,
>
> I'm trying to set up OCSP stapling but our firewall currently does not
> allow outbound port 80 unless its via a squid proxy server. OCSP
> stapling requests are ignoring the OS (Centos) proxy setting. Is there
> a way to tell NGINX to get its OCSP things via the proxy, or is the
> only way out to open up the firewall to the OCSP servers?
>
> NGINX 1.6.0
> Centos 6.4
>
> Thanks.
This would be a very interesting feature.
I wouldn't have any problem to open my firewall to some dedicated IP addresses of the OCSP server(s), but startssl uses akamai CDN for ocsp.startssl.com, which means that i have to open any http traffic from my reverse proxy to outside. This is strictly a nogo on production servers.
Kind regards,
Dan