implement OCSP stapling
can verify stapling using openssl s_client -connect hostname:443 -status status_request is RFC6066. there is also status_request_v2 (RFC6961) but this is not implemented even in openssl libs yet
This commit is contained in:
Girish Ramakrishnan
@@ -102,6 +102,12 @@ function isExpiringSync(certFilePath, hours) {
|
||||
return result.status === 1; // 1 - expired 0 - not expired
|
||||
}
|
||||
|
||||
function hasOCSPStapleSync(certFilePath) {
|
||||
if (safe.child_process.execSync(`openssl x509 -text -noout -in ${certFilePath} | grep -q status_request`)) return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// checks if the certificate matches the options provided by user (like wildcard, le-staging etc)
|
||||
function providerMatchesSync(domainObject, certFilePath, apiOptions) {
|
||||
assert.strictEqual(typeof domainObject, 'object');
|
||||
@@ -382,7 +388,7 @@ function writeDashboardNginxConfig(bundle, configFileName, vhost, callback) {
|
||||
assert.strictEqual(typeof vhost, 'string');
|
||||
assert.strictEqual(typeof callback, 'function');
|
||||
|
||||
var data = {
|
||||
const data = {
|
||||
sourceDir: path.resolve(__dirname, '..'),
|
||||
adminOrigin: settings.adminOrigin(),
|
||||
vhost: vhost,
|
||||
@@ -391,10 +397,11 @@ function writeDashboardNginxConfig(bundle, configFileName, vhost, callback) {
|
||||
certFilePath: bundle.certFilePath,
|
||||
keyFilePath: bundle.keyFilePath,
|
||||
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
|
||||
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') }
|
||||
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') },
|
||||
ocsp: hasOCSPStapleSync(bundle.certFilePath)
|
||||
};
|
||||
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
|
||||
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
|
||||
|
||||
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(new BoxError(BoxError.FS_ERROR, safe.error));
|
||||
|
||||
@@ -456,7 +463,7 @@ function writeAppNginxConfig(app, fqdn, bundle, callback) {
|
||||
if (reverseProxyConfig.csp.includes('frame-ancestors ')) hideHeaders.push('X-Frame-Options');
|
||||
}
|
||||
|
||||
var data = {
|
||||
const data = {
|
||||
sourceDir: sourceDir,
|
||||
adminOrigin: settings.adminOrigin(),
|
||||
vhost: fqdn,
|
||||
@@ -474,9 +481,10 @@ function writeAppNginxConfig(app, fqdn, bundle, callback) {
|
||||
id: app.id,
|
||||
location: nginxLocation(safe.query(app.manifest, 'addons.proxyAuth.path') || '/')
|
||||
},
|
||||
httpPaths: app.manifest.httpPaths || {}
|
||||
httpPaths: app.manifest.httpPaths || {},
|
||||
ocsp: hasOCSPStapleSync(bundle.certFilePath)
|
||||
};
|
||||
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
|
||||
const aliasSuffix = app.fqdn === fqdn ? '' : `-alias-${fqdn.replace('*', '_')}`;
|
||||
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}${aliasSuffix}.conf`);
|
||||
@@ -496,7 +504,7 @@ function writeAppRedirectNginxConfig(app, fqdn, bundle, callback) {
|
||||
assert.strictEqual(typeof bundle, 'object');
|
||||
assert.strictEqual(typeof callback, 'function');
|
||||
|
||||
var data = {
|
||||
const data = {
|
||||
sourceDir: path.resolve(__dirname, '..'),
|
||||
vhost: fqdn,
|
||||
redirectTo: app.fqdn,
|
||||
@@ -507,12 +515,13 @@ function writeAppRedirectNginxConfig(app, fqdn, bundle, callback) {
|
||||
robotsTxtQuoted: null,
|
||||
cspQuoted: null,
|
||||
hideHeaders: [],
|
||||
proxyAuth: { enabled: false, id: app.id, location: nginxLocation('/') }
|
||||
proxyAuth: { enabled: false, id: app.id, location: nginxLocation('/') },
|
||||
ocsp: hasOCSPStapleSync(bundle.certFilePath)
|
||||
};
|
||||
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
|
||||
// if we change the filename, also change it in unconfigureApp()
|
||||
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}-redirect-${fqdn}.conf`);
|
||||
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}-redirect-${fqdn}.conf`);
|
||||
debug('writing config for "%s" redirecting to "%s" to %s with options %j', app.fqdn, fqdn, nginxConfigFilename, data);
|
||||
|
||||
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
|
||||
@@ -725,7 +734,8 @@ function writeDefaultConfig(options, callback) {
|
||||
certFilePath,
|
||||
keyFilePath,
|
||||
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
|
||||
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') }
|
||||
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') },
|
||||
ocsp: false // self-signed cert
|
||||
};
|
||||
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, constants.NGINX_DEFAULT_CONFIG_FILE_NAME);
|
||||
|
||||
Reference in New Issue
Block a user