crabique
commented
2 weeks ago There seems to be a nice way to do it now: https://www.haproxy.com/documentation/haproxy-configuration-tutorials/ssl-tls/#ocsp-stapling
Open crabique opened 2 years ago
crabique
commented
2 weeks ago There seems to be a nice way to do it now: https://www.haproxy.com/documentation/haproxy-configuration-tutorials/ssl-tls/#ocsp-stapling
What are you trying to do
HAProxy supports OCSP stapling to provide certificate status along with the server certificate during TLS handshake, this speeds up synchronous clients and also helps protect site visitors' privacy as they are not making OCSP requests themselves.
Certificate requester may even explicitly specify
OCSP Must-Stapleoption as part of the CSR and the certificate will not work unless an OCSP object is provided along with the issued certificate (at least in browsers that properly implement it, e.g. Firefox).Would be great if HAProxy ingress had some integration to automate OCSP stapling responses for all ingress objects with certificates.
What HAProxy Ingress should do or how it should behave differently
HAProxy allows for configuration of OCSP stapling in two ways: statically via an
.ocspfile next to the certificate, and dynamically via the runtime API.However, those OCSP objects usually have a TTL of about ~7 days, so there would need to be some sort of a background worker that renews them at certain intervals.
Ideally, this feature would be configurable as both global flag and explicit ingress object annotations for some granular control.
Hopefully, this could be implemented 🙂