contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Support OCSP Stapling

Open Ozarklake opened this issue 1 year ago • 6 comments

Please describe the problem you have

OCSP : The Online Certificate Status Protocol (OCSP) stapling

OCSP checking is enabled by default on all iOS devices. and if OCSP stapling is availabe. the server will send the OCSP results directly to the client, avoiding the client to launch other queries to the CA institute. which will significantly reduce iOS client latency.

also see:

Ozarklake avatar Aug 21 '22 03:08 Ozarklake

Hi @Ozarklake! Envoy provides means to configure OCSP response to return to the client that requests it, but it does not seem to request it from OCSP responder by making OCSP request. Would you consider the same scope adequate for Contour, that is, let administrator provision pre-fetched OCSP response together with the certificate chain?

tsaarni avatar Aug 21 '22 05:08 tsaarni

Hi @Ozarklake! Envoy provides means to configure OCSP response to return to the client that requests it, but it does not seem to request it from OCSP responder by making OCSP request. Would you consider the same scope adequate for Contour, that is, let administrator provision pre-fetched OCSP response together with the certificate chain?

Hi. @tsaarni considering that OSCP responses are usually short term, the best way is of course to do as nginx does. but I'm not sure how hard it is to push upstream changes

Another potential way to do this is to have Contour make an OCSP request and then load it into Envoy. but that doesn't sounds intelligant, and I think the best way is push the upstream changes

Ozarklake avatar Aug 21 '22 14:08 Ozarklake

Hi @Ozarklake,

I did a short search in Envoy issues, but so far I did not find ticket discussing the option of having Envoy execute the OCSP request to fetch the response for stapling.

NGINX seems to have implemented it by lua script (link, depends on openresty lua-resty-core and lua-nginx-module).

There was also issue about option to have cert-manager handle the requests. It was rejected at the end. The issue also mentions some downsides of the NGINX implementation, such as the possibility that the proxy does not necessarily have network access to the OCSP responder.

The most straightforward approach for Contour would be to expose what there is in Envoy by configuring the response from a Secret. Of course that is just partial solution. User would still need to build automation to refresh the response.

tsaarni avatar Aug 21 '22 15:08 tsaarni

Hi @Ozarklake,

I did a short search in Envoy issues, but so far I did not find ticket discussing the option of having Envoy execute the OCSP request to fetch the response for stapling.

NGINX seems to have implemented it by lua script (link, depends on openresty lua-resty-core and lua-nginx-module).

There was also issue about option to have cert-manager handle the requests. It was rejected at the end. The issue also mentions some downsides of the NGINX implementation, such as the possibility that the proxy does not necessarily have network access to the OCSP responder.

The most straightforward approach for Contour would be to expose what there is in Envoy by configuring the response from a Secret. Of course that is just partial solution. User would still need to build automation to refresh the response.

This feature is actually natively supported by Nginx, Nignx-ingress seems to be implemented in Lua to avoid triggering reloads which can be a performance burden for Nginx, but this is not a problem in Envoy

So it would be great if it could be implemented in Envoy, which would make Envoy a better edge proxy server.

But implementing it in an ingress controller like nginx-ingress seems like a good option, and I think it's easier than pushing upstream changes

Ozarklake avatar Aug 22 '22 00:08 Ozarklake

@Ozarklake

So it would be great if it could be implemented in Envoy, which would make Envoy a better edge proxy server.

But implementing it in an ingress controller like nginx-ingress seems like a good option, and I think it's easier than pushing upstream changes

Yes, it will be lot more work and it requires someone to volunteer and implement the feature. But if the feature has not been asked yet, maybe you could create an issue for Envoy too? Would be interesting to hear opinions, especially since the developers already had created support for pre-fetched response.

tsaarni avatar Aug 22 '22 04:08 tsaarni

@Ozarklake

So it would be great if it could be implemented in Envoy, which would make Envoy a better edge proxy server. But implementing it in an ingress controller like nginx-ingress seems like a good option, and I think it's easier than pushing upstream changes

Yes, it will be lot more work and it requires someone to volunteer and implement the feature. But if the feature has not been asked yet, maybe you could create an issue for Envoy too? Would be interesting to hear opinions, especially since the developers already had created support for pre-fetched response.

Sure. I'll do that.

Ozarklake avatar Aug 22 '22 07:08 Ozarklake

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Oct 22 '22 00:10 github-actions[bot]