certmagic icon indicating copy to clipboard operation
certmagic copied to clipboard
verified publisher icon caddyserver

Add proxy option for OCSP stapling requests

Open arulthileeban opened this issue 2 years ago • 1 comments

What would you like to have changed?

The current implementation of OCSP stapling in the package lacks configurability to send requests to the CA through a proxy. It would be beneficial to introduce a configurable option for OCSP stapling, allowing requests to be sent over a proxy.

Why is this feature a useful, necessary, and/or important addition to this project?

In enterprise environments, the ability to utilize OCSP stapling is crucial. However, many enterprises have specific requirements regarding proxy usage for different types of traffic. For instance, requests originating from company servers often need to be routed through a specific proxy when accessing the internet. Therefore, incorporating this feature is vital for the widespread adoption of OCSP stapling through this package in enterprises.

What alternatives are there, or what are you doing in the meantime to work around the lack of this feature?

While environment variables could potentially be used as a workaround, they would enforce all requests to be routed through a single proxy. This limitation may not align with the diverse proxy requirements often found in enterprise environments.

arulthileeban avatar Jan 29 '24 07:01 arulthileeban

Just curious but what happens if you set the HTTP_PROXY env var to that of the proxy and then run the program again? (make sure it then tries to staple with that env var set)

mholt avatar Jan 29 '24 19:01 mholt

I just noticed the end of your issue; I have a question:

While environment variables could potentially be used as a workaround, they would enforce all requests to be routed through a single proxy. This limitation may not align with the diverse proxy requirements often found in enterprise environments.

Is using an env var unacceptable in your use case?

mholt avatar Feb 21 '24 17:02 mholt

Yeah. In our environment, certmagic is used along with a reverse proxy which has multiple outbound connections to different network zones. Defining an environment variable would route all outbound connections through the same proxy, which would render our setup unusable.

arulthileeban avatar Feb 22 '24 21:02 arulthileeban

@arulthileeban So, I believe that would be setting the Proxy field of the http.Transport struct? https://pkg.go.dev/net/http#Transport.Proxy

And it would simply be a function that returns the URL you specify in your config?

mholt avatar Mar 01 '24 17:03 mholt

I've implemented a possible solution, let me know if it doesn't work for you 👍

mholt avatar Mar 02 '24 01:03 mholt

Thanks, Matt. I'll try it out

arulthileeban avatar Mar 04 '24 02:03 arulthileeban