We are attempting to proxy OCSP responder lookups via Nginx. Clients have an OCSP lookup such as http://example.com/OCSP/EMSRootCAResponder hardcoded in their certificate which we direct to an Nginx host using our internal DNS. The Nginx host receives the same DNS responses so we must tell proxy_pass to use an external resolver so proxy_pass
is not pointing to itself but instead, the externally hosted OCSP responder.
We are using resolver
to try forcing Nginx to use an external DNS resolver to resolve the external OCSP service.
server {
listen 80;
server_name ocsp.example.com;
location = / {
resolver 8.8.8.8 valid=30s;
set $domain ocsp.example.com;
proxy_pass http://$domain;
}
}
but Nginx is still trying to serve a local resource verse proxying the request to the external upstream target.
ocsp-proxy | 2023/12/08 16:34:32 [error] 21#21: *1 open() "/etc/nginx/html/OCSP/EMSSSPCAResponder" failed (2: No such file or directory), client: 10.x.x.x, server: ocsp.example.com, request: "POST /OCSP/EMSSSPCAResponder HTTP/1.1", host: "ocsp.example.com"
Thoughts on why Nginx is not performing proxy_pass
but instead trying to server a local resource?
Per the comment: I was using location = /
which does not match the request POST /OCSP/EMSSSPCAResponder
- I meant to use location /
which matches any URL.