ocsp-stapling
Description#
The ocsp-stapling Plugin dynamically sets the behavior of OCSP stapling in Nginx.
Enable Plugin#
This Plugin is disabled by default. Modify the config file to enable the plugin:
plugins:
- ...
- ocsp-stapling
After modifying the config file, reload APISIX or send an hot-loaded HTTP request through the Admin API to take effect:
note
You can fetch the admin_key from config.yaml and save to an environment variable with the following command:
admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
curl http://127.0.0.1:9180/apisix/admin/plugins/reload -H "X-API-KEY: $admin_key" -X PUT
Attributes#
The attributes of this plugin are stored in specific field ocsp_stapling within SSL Resource.
| Name | Type | Required | Default | Valid values | Description |
|---|---|---|---|---|---|
| enabled | boolean | False | false | Like the ssl_stapling directive, enables or disables OCSP stapling feature. | |
| skip_verify | boolean | False | false | Like the ssl_stapling_verify directive, enables or disables verification of OCSP responses. | |
| cache_ttl | integer | False | 3600 | >= 60 | Specifies the expired time of OCSP response cache. |
Example usage#
You should create an SSL Resource first, and the certificate of the server certificate issuer should be known. Normally the fullchain certificate works fine.
Create an SSL Resource as such:
curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
-H "X-API-KEY: $admin_key" -X PUT -d '
{
"cert" : "'"$(cat server.crt)"'",
"key": "'"$(cat server.key)"'",
"snis": ["test.com"],
"ocsp_stapling": {
"enabled": true
}
}'
Next, establish a secure connection to the server, request the SSL/TLS session status, and display the output from the server:
echo -n "Q" | openssl s_client -status -connect localhost:9443 -servername test.com 2>&1 | cat
...
CONNECTED(00000003)
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
...
To disable OCSP stapling feature, you can make a request as shown below:
curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
-H "X-API-KEY: $admin_key" -X PUT -d '
{
"cert" : "'"$(cat server.crt)"'",
"key": "'"$(cat server.key)"'",
"snis": ["test.com"],
"ocsp_stapling": {
"enabled": false
}
}'
Delete Plugin#
Make sure all your SSL Resource doesn't contains ocsp_stapling field anymore. To remove this field, you can make a request as shown below:
curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
-H "X-API-KEY: $admin_key" -X PATCH -d '
{
"ocsp_stapling": null
}'
Modify the config file ./conf/config.yaml to disable the plugin:
plugins:
- ...
# - ocsp-stapling
After modifying the config file, reload APISIX or send an hot-loaded HTTP request through the Admin API to take effect:
curl http://127.0.0.1:9180/apisix/admin/plugins/reload -H "X-API-KEY: $admin_key" -X PUT