Nginx OCSP stapling configuration, nginxocspstapling

Nginx OCSP stapling configuration, nginxocspstapling

Nginx OCSP stapling configuration. Correct OCSP stapling configuration can improve HTTPS performance.

What is OCSP stapling?

OCSP stands for Online Certificate Status Protocol, that isOnline Certificate Status Protocol. As the name suggests, it is a protocol used to check the certificate status. the browser uses this Protocol to check whether the certificate is revoked. Use the Chrome browser to view the certificate details of the https://www.fundebug.com, you can see the query address of OCSP:

Fundebug uses the free certificate of Let's Encrypt, and its OCSP query address isHttp://ocsp.int-x3.letsencrypt.org/The browser needs to send a request to this address to verify the certificate status.

OCSP existsPrivacyAndPerformanceProblem. On the one hand, when a browser directly requests a third-party CA (Certificate Authority, Digital Certificate Authority), it will expose website visitors (Let's Encrypt will know which users are accessing Fundebug); on the other hand, when the browser queries OCSP, the HTTPS performance is reduced (accessing Fundebug slows down ).

To solve the two problems of OCSP, We have OCSP stapling. The website server performs OCSP queries, caches the query results, and returns the results to the browser during TLS connection with the browser, so that the browser does not need to query the results again. This solves the problemPrivacyAndPerformanceProblem.

OCSP stapling Detection

SSL Labs can comprehensively analyze the SSL configuration of websites that enable HTTPS, and detect the status of OCSP stapling.

PairWww.fundebug.comCheck to find that OCSP stapling is Enabled:

PairKiwenlau.comCheck to find that OCSP stapling is disabled:

### When configuring OCSP stapling to query Nginx logs, I found the following error message:

2018/02/27 02:58:11 [warn] 10#10: no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/etc/letsencrypt/live/www.fundebug.com/fullchain.pem"

It is known that the [resolver] (http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) attribute wood has a configuration caused. The resolver property is used to specify the DNS server address, and the OCSP query address ocsp.int-x3.letsencrypt.org needs to be resolved to an IP address. According to the Nginx document, it is best to use the local DNS service to prevent DNS spoofing ). There are security risks in using Public DNS services, such as Google Public DNS (8.8.8.8 and 8.8.4.4. > To prevent DNS spoofing, it is recommended serving DNS servers in a properly secured trusted local network. Therefore, it is best To configure resolver as 127.0.0.1, that is, local DNS Service:

resolver 127.0.0.1;

Because there is no DNS Service locally, the following error occurs in Nginx after resolver is configured:

2018/02/28 15:35:47 [error] 8#8: send() failed (111: Connection refused) while resolving, resolver: 127.0.0.1:53

A dns service, such as dnsmasq, should be run locally. We [Fundebug] (https://www.fundebug.com/) all services including Nginx are running inside Docker, so dnsmasq runs directly inside Docker, which saves the steps of installation and configuration:

sudo docker run -d --name=dnsmasq --net=host --cap-add=NET_ADMIN andyshinn/dnsmasq:2.75 --log-facility=-

The complete configuration of Nginx OCSP stapling is as follows: (other unrelated configuration options are omitted here)

http{    resolver 127.0.0.1;    server    {        ssl_stapling on;        ssl_stapling_verify on;        ssl_trusted_certificate /etc/letsencrypt/live/www.fundebug.com/chain.pem;    }}