contour
contour copied to clipboard
Support OCSP Stapling
Please describe the problem you have
OCSP : The Online Certificate Status Protocol (OCSP) stapling
OCSP checking is enabled by default on all iOS devices. and if OCSP stapling is availabe. the server will send the OCSP results directly to the client, avoiding the client to launch other queries to the CA institute. which will significantly reduce iOS client latency.
also see:
Hi @Ozarklake! Envoy provides means to configure OCSP response to return to the client that requests it, but it does not seem to request it from OCSP responder by making OCSP request. Would you consider the same scope adequate for Contour, that is, let administrator provision pre-fetched OCSP response together with the certificate chain?
Hi @Ozarklake! Envoy provides means to configure OCSP response to return to the client that requests it, but it does not seem to request it from OCSP responder by making OCSP request. Would you consider the same scope adequate for Contour, that is, let administrator provision pre-fetched OCSP response together with the certificate chain?
Hi. @tsaarni considering that OSCP responses are usually short term, the best way is of course to do as nginx does. but I'm not sure how hard it is to push upstream changes
Another potential way to do this is to have Contour make an OCSP request and then load it into Envoy. but that doesn't sounds intelligant, and I think the best way is push the upstream changes
Hi @Ozarklake,
I did a short search in Envoy issues, but so far I did not find ticket discussing the option of having Envoy execute the OCSP request to fetch the response for stapling.
NGINX seems to have implemented it by lua script (link, depends on openresty lua-resty-core and lua-nginx-module).
There was also issue about option to have cert-manager handle the requests. It was rejected at the end. The issue also mentions some downsides of the NGINX implementation, such as the possibility that the proxy does not necessarily have network access to the OCSP responder.
The most straightforward approach for Contour would be to expose what there is in Envoy by configuring the response from a Secret. Of course that is just partial solution. User would still need to build automation to refresh the response.
Hi @Ozarklake,
I did a short search in Envoy issues, but so far I did not find ticket discussing the option of having Envoy execute the OCSP request to fetch the response for stapling.
NGINX seems to have implemented it by lua script (link, depends on openresty lua-resty-core and lua-nginx-module).
There was also issue about option to have cert-manager handle the requests. It was rejected at the end. The issue also mentions some downsides of the NGINX implementation, such as the possibility that the proxy does not necessarily have network access to the OCSP responder.
The most straightforward approach for Contour would be to expose what there is in Envoy by configuring the response from a Secret. Of course that is just partial solution. User would still need to build automation to refresh the response.
This feature is actually natively supported by Nginx, Nignx-ingress seems to be implemented in Lua to avoid triggering reloads which can be a performance burden for Nginx, but this is not a problem in Envoy
So it would be great if it could be implemented in Envoy, which would make Envoy a better edge proxy server.
But implementing it in an ingress controller like nginx-ingress seems like a good option, and I think it's easier than pushing upstream changes
@Ozarklake
So it would be great if it could be implemented in Envoy, which would make Envoy a better edge proxy server.
But implementing it in an ingress controller like nginx-ingress seems like a good option, and I think it's easier than pushing upstream changes
Yes, it will be lot more work and it requires someone to volunteer and implement the feature. But if the feature has not been asked yet, maybe you could create an issue for Envoy too? Would be interesting to hear opinions, especially since the developers already had created support for pre-fetched response.
@Ozarklake
So it would be great if it could be implemented in Envoy, which would make Envoy a better edge proxy server. But implementing it in an ingress controller like nginx-ingress seems like a good option, and I think it's easier than pushing upstream changes
Yes, it will be lot more work and it requires someone to volunteer and implement the feature. But if the feature has not been asked yet, maybe you could create an issue for Envoy too? Would be interesting to hear opinions, especially since the developers already had created support for pre-fetched response.
Sure. I'll do that.
The Contour project currently lacks enough contributors to adequately respond to all Issues.
This bot triages Issues according to the following rules:
- After 60d of inactivity, lifecycle/stale is applied
- After 30d of inactivity since lifecycle/stale was applied, the Issue is closed
You can:
- Mark this Issue as fresh by commenting
- Close this Issue
- Offer to help out with triage
Please send feedback to the #contour channel in the Kubernetes Slack