Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kyprizel/nginx_ocsp_proxy-module
Nginx OCSP processing module designed for response caching
https://github.com/kyprizel/nginx_ocsp_proxy-module
Last synced: 3 months ago
JSON representation
Nginx OCSP processing module designed for response caching
- Host: GitHub
- URL: https://github.com/kyprizel/nginx_ocsp_proxy-module
- Owner: kyprizel
- License: bsd-3-clause
- Created: 2013-12-09T16:12:41.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2014-03-24T11:22:56.000Z (over 10 years ago)
- Last Synced: 2024-01-20T15:42:09.930Z (5 months ago)
- Language: C
- Size: 277 KB
- Stars: 11
- Watchers: 3
- Forks: 8
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- awesome-nginx - nginx_ocsp_proxy-module - Nginx OCSP processing module designed for response caching. (Third Party Modules / C Modules)
- awesome-nginx - nginx_ocsp_proxy-module - Nginx OCSP processing module designed for response caching. (Third Modules / C Modules)
README
Description
===========**nginx_ocsp_proxy-module** - module for OCSP request and response processing designed to allow response caching using
[srcache-nginx-module](https://github.com/agentzh/srcache-nginx-module) and [memc-nginx-module](https://github.com/agentzh/memc-nginx-module).
If you want to use standart caching mechanisms module could help you rewrite POST OCSP requests to GET.Status
======Working alpha
Note
====If you're not an CA owner with a lot of legacy clients - forget about this module and use [OCSP stapling](http://en.wikipedia.org/wiki/OCSP_stapling) instead.
Directives
==========ocsp_proxy
----------
**syntax:** *ocsp_proxy (on|off);***default:** *off*
**context:** *http, server, location, if*
on - Enable module and GET/POST request processing
off - Disable module
ocsp_cache_timeout
------------------
**syntax:** *ocsp_cache_timeout 1h;***default:** *24 hrs*
**context:** *http, server, location, if*
Maximum cache time for OCSP response.
Variables
=========ocsp_request
------------Base64 encoded OCSP request body.
Can be used for POST to GET rewrite.ocsp_serial
-----------Certificate serial
ocsp_skip_cache
---------------If set on request:
1 - no cached response should be sent
Will be set to 1 in case of:
* Nonce found in reqest
If set on response:
0 - response can be cached
1 - response can not be cached
Will be set to 1 in case of:
* Nonce found in response
* Service Locator extension found in request
ocsp_response_cache_time
------------------------Cache time for specific response.
Can't be more than ocsp_cache_timeout.
Will be set to 0 if ocsp_skip_cache set to 1.
0 means FOREVER in memcached, so don't forget to configure store_skip correctly!Example configuration
=====================upstream my_memcached {
server 127.0.0.1:11211;
}server {
listen 80;
server_name localhost;
client_max_body_size 256k;location /memc {
internal;set $memc_key $arg_key;
set $memc_exptime $arg_exptime;memc_pass my_memcached;
memc_ignore_client_abort on;
}location / {
ocsp_proxy on;
set $key $ocsp_serial;srcache_methods GET POST;
srcache_fetch GET /memc key=$key;
srcache_fetch_skip $ocsp_skip_cache;srcache_store PUT /memc key=$key&exptime=$ocsp_response_cache_time;
srcache_store_statuses 200;
srcache_store_skip $ocsp_skip_cache;
srcache_store_hide_header Date;proxy_pass http://ocsp.someca.com;
proxy_ignore_client_abort on;
}
}Example configuration 2
=======================server {
...location / {
ocsp_proxy on;if ($request_method = "POST") {
rewrite ^(.*)$ $1$ocsp_request break;
}proxy_method GET;
proxy_pass_request_body off;proxy_set_header Content-Length "";
proxy_set_header Content-Type "";proxy_cache_key "$proxy_host$ocsp_serial$request_uri";
...
proxy_pass http://ocsp.someca.com;
proxy_ignore_client_abort on;
}
}Installation
============Grab the nginx source code from [nginx.org](http://nginx.org/), for example, the version 1.5.8 (see nginx compatibility).
Grab [srcache-nginx-module](https://github.com/agentzh/srcache-nginx-module) and [memc-nginx-module](https://github.com/agentzh/memc-nginx-module).
Build the source with this module:wget 'http://nginx.org/download/nginx-1.5.8.tar.gz'
tar -xzvf nginx-1.5.8.tar.gz
cd nginx-1.5.8/
./configure --with-debug --add-module=/path/to/srcache-nginx-module \
--add-module=/path/to/memc-nginx-module \
--add-module=/path/to/nginx_ocsp_proxy-modulemake
make installModules order does matter!
Compatibility
=============Module was tested with nginx 1.5+, but should work with 1.4+.
Sources
=======Available on github at [/kyprizel/nginx_ocsp_proxy-module](https://github.com/kyprizel/nginx_ocsp_proxy-module).
Most POST processing code was borrowed from [form-input-nginx-module](https://github.com/calio/form-input-nginx-module).[![Analytics](https://ga-beacon.appspot.com/UA-559211-28/nginx_ocsp_proxy-module/README)](https://github.com/igrigorik/ga-beacon)
TODO
====* Code review
* Testing
* Load testing
* OCSP Response validation with CA certBugs
====Feel free to report bugs and send patches to [email protected]
or using [github's issue tracker](https://github.com/kyprizel/nginx_ocsp_proxy-module/issues).Copyright & License
===================Copyright (c) 2013-2014, Eldar Zaitov
All rights reserved.Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.* Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.* Neither the name of the {organization} nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.