Nginx

OCSP 與 nginx 的裝訂

  • August 29, 2015

我在 nginx 中使用 OCSP 裝訂時遇到問題。所以我啟動了 openssl ocsp 守護程序,然後我訪問了我的站點。然後它說無效請求。我正在使用私有 PKI 和 CA。SSL 密鑰:8192 位 DH 密鑰 2048 位

root@wilhelm:/etc/ocsp# openssl ocsp -index index.txt -port 9999 -rsigner oscp.crt -rkey oscp.key -CA cacert.pem -text -out log.txt
Waiting for OCSP client connections...
Invalid request
root@wilhelm:/etc/ocsp# ls
cacert.pem  index.txt  index.txt.attr  index.txt.attr.old  index.txt.old  log.txt  ocsp.crt  ocsp.key  oscp.crt  oscp.key
root@wilhelm:/etc/ocsp# 

雖然伺服器正在工作,但我使用 openssl ocsp -CAfile ../cacert.pem -issuer ../cacert.pem -url http://* url *:9999 -resp_text -cert mycert.crt 對其進行了測試,它工作正常.

Nginx 配置:

set_real_ip_from   199.27.128.0/21;
set_real_ip_from   173.245.48.0/20;
set_real_ip_from   103.21.244.0/22;
set_real_ip_from   103.22.200.0/22;
set_real_ip_from   103.31.4.0/22;
set_real_ip_from   141.101.64.0/18;
set_real_ip_from   108.162.192.0/18;
set_real_ip_from   190.93.240.0/20;
set_real_ip_from   188.114.96.0/20;
set_real_ip_from   197.234.240.0/22;
set_real_ip_from   198.41.128.0/17;  
set_real_ip_from   162.158.0.0/15;  
set_real_ip_from   104.16.0.0/12;
set_real_ip_from   172.64.0.0/13;
real_ip_header     X-Forwarded-For;
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=1r/s;
limit_conn conn_limit_per_ip 5;
limit_req zone=req_limit_per_ip burst=10 nodelay;   

server_tokens off;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";


server {
 listen 80;
 server_name mail.wilhelm.co.za;
 return 301 https://$host$request_uri;
}

server {
 listen 443 ssl;
 ssl on;
 server_name mail.wilhelm.co.za;

 if ($http_referer ~* "(semalt|buttons-for|best-seo)") { return 444; }
 if ($http_host = '') { return 444; }
 if ($host !~* ^mail\.wilhelm\.co\.za$ ) { return 444; }
 if ($request_method !~ ^(GET|HEAD)$ ) { return 444; }

 ssl_certificate /etc/nginx/ssl/mail.wilhelm.co.za.key.crt;
 ssl_certificate_key /etc/nginx/ssl/mail.wilhelm.co.za.key;
 ssl_client_certificate /etc/nginx/ssl/cacert.pem;
 ssl_verify_client optional; 
 ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 5m;

 ssl_dhparam /etc/nginx/ssl/dhparam.pem;

 ssl_prefer_server_ciphers on;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

 resolver 8.8.8.8 valid=300s;
 resolver_timeout 10s;
 ssl_stapling on;
 ssl_stapling_verify on;
 ssl_trusted_certificate /etc/nginx/ssl/mail.wilhelm.co.za.crt;

 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
 root /var/www/mail.wilhelm.co.za/public_html;
 access_log /var/www/mail.wilhelm.co.za/logs/access.log;
 error_log /var/www/mail.wilhelm.co.za/logs/error.log;
 index index.php;

 location / {
   try_files $uri $uri/ /index.php?$query_string;
 }

 location ~ \.php$ {
   fastcgi_index index.php;
   fastcgi_split_path_info ^(.+\.php)(.*)$;
   fastcgi_keep_conn on;
   include /etc/nginx/fastcgi_params;
   fastcgi_pass unix:/var/run/php5-fpm.sock;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 }

 location ~ /\.ht {
   deny all;
 }

 location ^~ /data {
   deny all;
 }
}

對於用於 OCSP 裝訂的 OCSP 請求,nginx 使用 GET 請求,如RFC 2560中所述。

另一方面,從上次發布的 OpenSSL 1.0.2d 開始,OpenSSL 僅支持 OCSP 響應者守護程序中的 POST 請求,可通過openssl ocsp. 它不辨識 GET 請求並列印Invalid request此類請求。

為了使這項工作,您可以從 master 分支嘗試 OpenSSL - 它似乎包含改進 OCSP 響應程式碼的嘗試,並且現在應該正確處理 GET 請求。不過我沒試過,可能還有其他問題。還請記住它是未發布的程式碼。

您也可以考慮使用另一個 OCSP 響應器。

引用自:https://serverfault.com/questions/682932