Hi!
I’m setting up OCSP with Haproxy 3.0.2
Everything is good and well if I download the ocsp repsonse file myself with openssl
But If I’m trying to have haproxy get oscp updates, it fails because I need to go through a corporate proxy to reach out to the issuer URI.
By searching online I found that Apache has an option SSLOCSPProxyURL to do exactly that, I was hoping there was the equivalent with HAProxy.
The only thing I could find here is this person having the same question at the end of a topic.
Thanks
Yep, on 8.x I did not find a way to set this up, on your version did you configure this: HAProxy version 3.0.2-34 - Configuration Manual
Allow to use an HTTP proxy for the OCSP updates. This only works with HTTP,
HTTPS is not supported. This option will allow the OCSP updater to send
absolute URI in the request to the proxy.
1 Like
Thanks Alan!
That fixed my issue… I had browsed through the doc, problem is that searching for “proxy” in the haproxy documentation does not really help !
The only problem I’ll mention, is that it forces me to use the IP address of my proxy server, if I use the hostname it does not even tries to resolve the name and I get the error:
[ALERT] (1) : config : ocsp-update: Failed to parse destination address in invalid address: ‘my.proxy.dns.name’ in ‘my.proxy.dns.name:8080’
[ALERT] (1) : config : parsing [/usr/local/etc/haproxy/haproxy.cfg:25] : (null)
[ALERT] (1) : config : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] (1) : config : Fatal errors found in configuration.