This 2012 post
Priming the OCSP cache in Nginx
https://unmitigatedrisk.com/?p=241
comments
"...
in Nginx 1.3.7, unfortunately architectural restrictions made it
impractical to make it so that pre-fetching the OCSP response on server
start-up so instead the first connection to the server primes the cache that is
used for later connections.
This is a fine compromise but what if you really want the first
connection to have the benefit too? Well there are two approaches you can take:
..."
where OCSP pre-fetching is a challenge that Cloudflare similarly took up in
2017 outside of its then-Nginx usage,
High-reliability OCSP stapling and why it matters
https://blog.cloudflare.com/high-reliability-ocsp-stapling/
Adding to
edit /etc/systemd/system/nginx.service
+ ExecStartPost=/bin/bash /etc/nginx/scripts/ocsp_prefetch.sh
where
cat /etc/nginx/scripts/ocsp_prefetch.sh
iterates over served domains,
echo QUIT | openssl s_client -connect ${_thisDom}:443 -servername
${_thisDom} -tls1_3 -tlsextdebug -status 2> /dev/null
Does the trick. After cold reboot, 1st hits to site(s) no longer fail to
respond in-browser, or fail to provide OCSP response to openssl s_client query.
IS there an nginx prefetch mechanism available natively in current version ?
I found this 7 yr old enhancement request,
Fetch OCSP responses on startup, and store across restarts
https://trac.nginx.org/nginx/ticket/812
which afaict wasn't resolved.
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
