search

macbre / docker-nginx-http3

Stable and up-to-date root-less nginx with quic + http/3, google brotli compression, njs, GeoIP2, and Grade A+ SSL config
https://hub.docker.com/r/macbre/nginx-http3
159 stars 52 forks source link

apply kn007 ocsp stapling patch #116

Open natsl05164 opened 1 year ago

natsl05164 commented 1 year ago

Ran the dockerfile with the KN007 Enable_BoringSSL_OCSP.patch without error. However i didn't make a test on real https domain.. The KN007 patch is It adds OCSP stapling support for BoringSSL to Nginx using the ssl_stapling_file parameter. However the ssl_stapling_file (/path/to/ocsp.resp) needs to be renewed from the issuer site every fixed duration and the response will be saved to (/path/to/ocsp.resp) which is what the cron job does. You may see the details given on KN007's blog https://kn007.net/topics/let-nginx-support-ocsp-stapling-when-using-boringssl/. Thanks

macbre commented 9 months ago

Tests are failing with:

2023-09-17T12:10:13.7923577Z 2023/09/17 12:10:13 [notice] 1#1: using boringssl, currently only "ssl_stapling_file" is supported. use it as your own risk
2023-09-17T12:10:13.7928916Z 2023/09/17 12:10:13 [emerg] 1#1: BIO_new_file("/path/to/ocsp.resp") failed (SSL: error:02000002:system library:OPENSSL_internal:No such file or directory:fopen('/path/to/ocsp.resp','r') error:1100006e:BIO routines:OPENSSL_internal:NO_SUCH_FILE)
macbre commented 9 months ago

I do not think that the approach with the cronjob setup will work for most users of this container. Hence...

  1. Let's keep the patch being applied in the Dockerfile.
  2. Comment out the ssl_stapling_file /path/to/ocsp.resp; field from the test config.
  3. Move the tests/oscp.cron.sh file content to a README file describing how to set up the OCSP stapling (i.e. obtaining the OCSP reply from the certificate issuer).