IOIOX 文档中心

Appearance

Nginx 配置 OCSP Stapling

配置方法

修改 nginx 域名 conf 文件

修改域名 conf 文件,在证书信息下加入以下代码:

nginx
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /path/to/full_chain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=60s ipv6=off;
    resolver_timeout 5s;
  • full_chain.pem为完整证书链证书.
  • /path/to/full_chain.pem;修改为证书实际绝对路径.
  • 由于国内 VPS 服务器访问 OCSP 服务器可能会被污染而导致失败,所以添加resolver来解决此问题.

!> 修改完成后执行 nginx -t 检查,执行 nginx -s reload 重载 nginx 生效.
docker 环境执行 docker exec nginx nginx -t 检查,执行 docker exec nginx nginx -s reload 重载 nginx 生效.

检查生效

在客户端,例如 macOS Linux 等系统下执行以下命令检查是否生效:

shell
openssl s_client -connect www.yourdomain.com:443 -servername www.yourdomain.com -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
# 将命令中 www.yourdomain.com 改为你的域名

未生效结果

shell
OCSP response: no response sent

成功生效结果

shell
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

!> 配置完成后首次检查可能会显示未生效,因为 Nginx 收到首次请求会发起异步 OCSP 请求,尝试多执行几次来查询即可.

参考示例

nginx
upstream dockername { 
    server 127.0.0.1:8080;
}

server {
    listen 80;
    server_name  www.yourdomain.com;
    return 301 https://www.yourdomain.com$request_uri;
}

server {
    listen 443 ssl;
    server_name  www.yourdomain.com;
    gzip on;    

    ssl_certificate /usr/local/nginx/conf/ssl/www.yourdomain.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/www.yourdomain.com.key;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/www.yourdomain.com.crt;
    resolver 8.8.8.8 8.8.4.4 valid=60s ipv6=off;
    resolver_timeout 5s;    

    # access_log /var/log/nginx/dockername_access.log combined;
    # error_log  /var/log/nginx/dockername_error.log;

    location / {
        proxy_redirect off;
        proxy_pass http://dockername;

        proxy_set_header  Host                $http_host;
        proxy_set_header  X-Real-IP           $remote_addr;
        proxy_set_header  X-Forwarded-Ssl     on;
        proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto   $scheme;
        proxy_set_header  X-Frame-Options     SAMEORIGIN;

        client_max_body_size        100m;
        client_body_buffer_size     128k;

        proxy_buffer_size           4k;
        proxy_buffers               4 32k;
        proxy_busy_buffers_size     64k;
        proxy_temp_file_write_size  64k;
    }
}

Copyright © 2024 IOIOX