jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

add a flag to disable ocsp globally

Browse Source 
fixes #796
This commit is contained in:
Girish Ramakrishnan
2021-09-22 09:13:16 -07:00
parent 5b70c055cc
commit dff2275a9b
2 changed files with 23 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/reverseproxy.js
View File

@@ -107,9 +107,13 @@ function getExpiryDate(certFilePath) {
return notAfterDate;
}
// We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
// however, we cannot set the must-staple because first request to nginx fails because of it's OCSP caching behavior
function hasOCSPUriSync(certFilePath) {
async function isOcspEnabled(certFilePath) {
// on some servers, OCSP does not work. see #796
const config = await settings.getReverseProxyConfig();
if (!config.ocsp) return false;
// We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
// however, we cannot set the must-staple because first request to nginx fails because of it's OCSP caching behavior
const result = safe.child_process.execSync(`openssl x509 -in ${certFilePath} -noout -ocsp_uri`, { encoding: 'utf8' });
return result && result.length > 0; // no error and has uri
}
@@ -444,7 +448,7 @@ async function writeDashboardNginxConfig(bundle, configFileName, vhost) {
keyFilePath: bundle.keyFilePath,
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') },
ocsp: hasOCSPUriSync(bundle.certFilePath)
ocsp: await isOcspEnabled(bundle.certFilePath)
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
@@ -503,7 +507,7 @@ async function writeAppNginxConfig(app, fqdn, bundle) {
location: nginxLocation(safe.query(app.manifest, 'addons.proxyAuth.path') || '/')
},
httpPaths: app.manifest.httpPaths || {},
ocsp: hasOCSPUriSync(bundle.certFilePath)
ocsp: await isOcspEnabled(bundle.certFilePath)
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
@@ -536,7 +540,7 @@ async function writeAppRedirectNginxConfig(app, fqdn, bundle) {
cspQuoted: null,
hideHeaders: [],
proxyAuth: { enabled: false, id: app.id, location: nginxLocation('/') },
ocsp: hasOCSPUriSync(bundle.certFilePath)
ocsp: await isOcspEnabled(bundle.certFilePath)
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);