r509-ocsp-responder 0.3.2 → 0.3.3

Sign up to get free protection for your applications and to get access to all the features.
@@ -1,248 +0,0 @@
1
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
- <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4
- <head>
5
- <meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
6
- <title>
7
- File: README
8
-
9
- &mdash; Documentation by YARD 0.8.6.1
10
-
11
- </title>
12
-
13
- <link rel="stylesheet" href="css/style.css" type="text/css" charset="utf-8" />
14
-
15
- <link rel="stylesheet" href="css/common.css" type="text/css" charset="utf-8" />
16
-
17
- <script type="text/javascript" charset="utf-8">
18
- hasFrames = window.top.frames.main ? true : false;
19
- relpath = '';
20
- framesUrl = "frames.html#!" + escape(window.location.href);
21
- </script>
22
-
23
-
24
- <script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
25
-
26
- <script type="text/javascript" charset="utf-8" src="js/app.js"></script>
27
-
28
-
29
- </head>
30
- <body>
31
- <div id="header">
32
- <div id="menu">
33
-
34
- <a href="_index.html">Index</a> &raquo;
35
- <span class="title">File: README</span>
36
-
37
-
38
- <div class="noframes"><span class="title">(</span><a href="." target="_top">no frames</a><span class="title">)</span></div>
39
- </div>
40
-
41
- <div id="search">
42
-
43
- <a class="full_list_link" id="class_list_link"
44
- href="class_list.html">
45
- Class List
46
- </a>
47
-
48
- <a class="full_list_link" id="method_list_link"
49
- href="method_list.html">
50
- Method List
51
- </a>
52
-
53
- <a class="full_list_link" id="file_list_link"
54
- href="file_list.html">
55
- File List
56
- </a>
57
-
58
- </div>
59
- <div class="clear"></div>
60
- </div>
61
-
62
- <iframe id="search_frame"></iframe>
63
-
64
- <div id="content"><div id='filecontents'><h1>r509-ocsp-responder <a href="http://travis-ci.org/reaperhulk/r509-ocsp-responder"><img src="https://secure.travis-ci.org/reaperhulk/r509-ocsp-responder.png" alt="Build Status"></a></h1>
65
-
66
- <p>r509-ocsp-responder is an OCSP responder written using <a href="https://github.com/reaperhulk/r509">r509</a> and Sinatra to conform to RFC <a href="http://www.ietf.org/rfc/rfc2560.txt">2560</a> and <a href="http://www.ietf.org/rfc/rfc5019.txt">5019</a>.</p>
67
-
68
- <h2>Requirements</h2>
69
-
70
- <p>r509-ocsp-responder depends on <a href="https://github.com/reaperhulk/r509">r509</a>, <a href="http://redis.io">redis</a>, <a href="https://github.com/sirsean/r509-validity-redis">r509-validity-redis</a> (or another library that implements R509::Validity), <a href="http://sinatrarb.com">sinatra</a>, and <a href="https://github.com/sirsean/dependo">dependo</a>. Optionally, you can install <a href="https://github.com/sirsean/r509-ocsp-stats">r509-ocsp-stats</a> for stats collection. These must be installed as gems.</p>
71
-
72
- <h2>Basic Usage</h2>
73
-
74
- <h3>Build/Install</h3>
75
-
76
- <p>If you have cloned the repo you can build the gem with <code>rake gem:build</code> and install with <code>rake gem:install</code> . Alternately you can use a prebuilt gem by typing <code>gem install r509-ocsp-responder</code> .</p>
77
-
78
- <h3>Set Up config.ru</h3>
79
-
80
- <p>Save the below into a config.ru (or rackup) file</p>
81
-
82
- <pre class="code ruby"><code class="ruby"><span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>r509</span><span class='tstring_end'>&quot;</span></span>
83
- <span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>dependo</span><span class='tstring_end'>&quot;</span></span>
84
- <span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>'</span><span class='tstring_content'>r509/ocsp/responder/server</span><span class='tstring_end'>'</span></span>
85
-
86
- <span class='const'>Dependo</span><span class='op'>::</span><span class='const'>Registry</span><span class='lbracket'>[</span><span class='symbol'>:log</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='const'>Logger</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='const'>STDOUT</span><span class='rparen'>)</span>
87
-
88
- <span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>r509/validity/redis</span><span class='tstring_end'>&quot;</span></span>
89
- <span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>'</span><span class='tstring_content'>redis</span><span class='tstring_end'>'</span></span>
90
- <span class='kw'>begin</span>
91
- <span class='id identifier rubyid_gem'>gem</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>hiredis</span><span class='tstring_end'>&quot;</span></span>
92
- <span class='const'>Dependo</span><span class='op'>::</span><span class='const'>Registry</span><span class='lbracket'>[</span><span class='symbol'>:log</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_warn'>warn</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Loading redis with hiredis driver</span><span class='tstring_end'>&quot;</span></span>
93
- <span class='id identifier rubyid_redis'>redis</span> <span class='op'>=</span> <span class='const'>Redis</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='symbol'>:driver</span> <span class='op'>=&gt;</span> <span class='symbol'>:hiredis</span><span class='rparen'>)</span>
94
- <span class='kw'>rescue</span> <span class='const'>Gem</span><span class='op'>::</span><span class='const'>LoadError</span>
95
- <span class='const'>Dependo</span><span class='op'>::</span><span class='const'>Registry</span><span class='lbracket'>[</span><span class='symbol'>:log</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_warn'>warn</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Loading redis with standard ruby driver</span><span class='tstring_end'>&quot;</span></span>
96
- <span class='id identifier rubyid_redis'>redis</span> <span class='op'>=</span> <span class='const'>Redis</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
97
- <span class='kw'>end</span>
98
- <span class='const'>Dependo</span><span class='op'>::</span><span class='const'>Registry</span><span class='lbracket'>[</span><span class='symbol'>:validity_checker</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>Validity</span><span class='op'>::</span><span class='const'>Redis</span><span class='op'>::</span><span class='const'>Checker</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_redis'>redis</span><span class='rparen'>)</span>
99
-
100
-
101
- <span class='const'>R509</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>Responder</span><span class='op'>::</span><span class='const'>OCSPConfig</span><span class='period'>.</span><span class='id identifier rubyid_load_config'>load_config</span>
102
-
103
- <span class='const'>R509</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>Responder</span><span class='op'>::</span><span class='const'>OCSPConfig</span><span class='period'>.</span><span class='id identifier rubyid_print_config'>print_config</span>
104
-
105
- <span class='comment'># Uncomment the next two lines if you want to collect stats via r509-ocsp-stats
106
- </span><span class='comment'># require &quot;r509/ocsp/stats/redis&quot;
107
- </span><span class='comment'># Dependo::Registry[:stats] = R509::OCSP::Stats::Redis.new
108
- </span>
109
- <span class='id identifier rubyid_responder'>responder</span> <span class='op'>=</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>Responder</span><span class='op'>::</span><span class='const'>Server</span>
110
- <span class='id identifier rubyid_run'>run</span> <span class='id identifier rubyid_responder'>responder</span>
111
- </code></pre>
112
-
113
- <h3>Configure config.yaml</h3>
114
-
115
- <p>The config.yaml contains certificate authority nodes as well as options like copy_nonce (documented below). Each CA node has an arbitrary name like test_ca and contains a ca_cert and (optional) ocsp_cert node. If you want to sign OCSP responses directly from your root you&#39;ll set your config up like this:</p>
116
-
117
- <pre class="code yaml"><code class="yaml">copy_nonce: true
118
- cache_headers: true
119
- max_cache_age: 60
120
- certificate_authorities: {
121
- second_ca: {
122
- ca_cert: {
123
- cert: &quot;spec/fixtures/second_ca.cer&quot;,
124
- key: &quot;spec/fixtures/second_ca.key&quot;
125
- }
126
- }
127
- }
128
- </code></pre>
129
-
130
- <p>If you want to use an OCSP delegate</p>
131
-
132
- <pre class="code yaml"><code class="yaml">copy_nonce: true
133
- cache_headers: true
134
- max_cache_age: 60
135
- certificate_authorities: {
136
- test_ca: {
137
- ca_cert: {
138
- cert: &quot;spec/fixtures/test_ca.cer&quot;
139
- },
140
- ocsp_cert: {
141
- cert: &quot;spec/fixtures/test_ca_ocsp.cer&quot;,
142
- key: &quot;spec/fixtures/test_ca_ocsp.key&quot;
143
- }
144
- }
145
- }
146
- </code></pre>
147
-
148
- <p>Finally, if you&#39;re responding for multiple roots you specify them like so:</p>
149
-
150
- <pre class="code yaml"><code class="yaml">copy_nonce: true
151
- cache_headers: true
152
- max_cache_age: 60
153
- certificate_authorities: {
154
- test_ca: {
155
- ca_cert: {
156
- cert: &quot;spec/fixtures/test_ca.cer&quot;
157
- },
158
- ocsp_cert: {
159
- cert: &quot;spec/fixtures/test_ca_ocsp.cer&quot;,
160
- key: &quot;spec/fixtures/test_ca_ocsp.key&quot;
161
- }
162
- },
163
- second_ca: {
164
- ca_cert: {
165
- cert: &quot;spec/fixtures/second_ca.cer&quot;,
166
- key: &quot;spec/fixtures/second_ca.key&quot;
167
- }
168
- }
169
- }
170
- </code></pre>
171
-
172
- <h3>Configure Thin &amp; nginx</h3>
173
-
174
- <p>The example below is an example yaml config for thin. You will want to have as many servers as you have cores.</p>
175
-
176
- <pre class="code yaml"><code class="yaml">chdir: /var/www/r509-ocsp-responder
177
- rackup: /var/www/r509-ocsp-responder/config.ru
178
- socket: /var/run/r509-ocsp-responder.sock
179
- pid: /var/run/r509-ocsp-responder.pid
180
- servers: 2
181
- daemonize: true
182
- log: /var/log/r509-ocsp-responder.log
183
- </code></pre>
184
-
185
- <p>Since this config is just using sockets let&#39;s set up nginx as a reverse proxy for the thin instances. We can also use this as a caching layer if we choose to enable cache_headers.</p>
186
-
187
- <pre class="code ruby"><code class="ruby">proxy_cache_path /var/www/cache levels=1:2 keys_zone=ocsp:8m max_size=16m inactive=64m;
188
- proxy_temp_path /var/www/cache/tmp;
189
-
190
- upstream thin_ocsp_responder{
191
- server unix:/var/run/r509-ocsp-responder.0.sock fail_timeout=0;
192
- server unix:/var/run/r509-ocsp-responder.1.sock fail_timeout=0;
193
- }
194
- server {
195
- listen 80;
196
- server_name ocsp.r509.org;
197
-
198
- location / {
199
- proxy_pass http://thin_ocsp_responder;
200
- proxy_cache ocsp;
201
- proxy_cache_use_stale updating;
202
- }
203
- }
204
- </code></pre>
205
-
206
- <p>Within the location block you may also choose to add these directives:</p>
207
-
208
- <pre class="code ruby"><code class="ruby">proxy_cache_methods GET POST;
209
- proxy_cache_valid 200 302 1m;
210
- </code></pre>
211
-
212
- <p>If present, these lines will cause 200 and 302 responses to POST and GET to be cached for 1 minute. This allows you to cache POST requests (Note: Per the HTTP RFC POST requests should not be cached) in addition to the GET requests normally supported by the ruby layer. <strong>NOTE:</strong> The proxy_cache_valid values are lower priority than caching headers sent by the thin instances so if you do not keep the value here in sync with the max_cache_age config (or turn off cache_headers entirely and solely control it through nginx) you will have mismatched cache times. Additionally, this will cache nonced responses, which wastes RAM since they will not be re-used.</p>
213
-
214
- <p>If you would like to track the cache utilization you can also modify the nginx logging to track cache hits. There are a variety of ways this can be accomplisehd, but one of the simplest is simply to alter your log_format line to add <code>$upstream_cache_status</code>.</p>
215
-
216
- <h2>Options</h2>
217
-
218
- <p>This OCSP responder supports several optional flags (in addition to supporting an arbitrary number of responder certificates).</p>
219
-
220
- <ul>
221
- <li><p><strong>copy_nonce</strong> - (true/false) Sets whether to copy the nonce from request to response (if present)</p></li>
222
- <li><p><strong>cache_headers</strong> - (true/false) Sets whether to set HTTP headers for caching GET responses. Coupled with a reverse proxy you can cache responses for a finite period and vastly speed up the response time of your server (at the cost of response freshness). Nonced requests will not be cached. The performance benefit of caching can vary drastically depending on the mix of clients connecting to the OCSP responder.</p></li>
223
- <li><p><strong>max_cache_age</strong> - (integer) Sets the maximum age in <strong>seconds</strong> a response can be cached. At this time r509-ocsp-responder does not support cache invalidation so it is recommended to set this to a low value to reduce the time you may serve stale responses in the event of a revocation.</p></li>
224
- </ul>
225
-
226
- <h2>Signals</h2>
227
-
228
- <p>You can send a kill -USR2 signal to any running r509-ocsp-responder process to cause it to reload and print its config to the logs (provided your app server isn&#39;t trapping USR2 first).</p>
229
-
230
- <h2>Running Tests</h2>
231
-
232
- <p>You&#39;ll need rspec, rake, and rack-test to run the tests. With these gems in place run <code>rake spec</code></p>
233
-
234
- <h2>Future Ideas</h2>
235
-
236
- <ul>
237
- <li>Devise a mechanism for doing automated OCSP delegate certificate renewal</li>
238
- </ul>
239
- </div></div>
240
-
241
- <div id="footer">
242
- Generated on Tue Apr 16 13:57:16 2013 by
243
- <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
244
- 0.8.6.1 (ruby-1.9.3).
245
- </div>
246
-
247
- </body>
248
- </html>
@@ -1,55 +0,0 @@
1
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
- <html>
4
- <head>
5
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
6
-
7
- <link rel="stylesheet" href="css/full_list.css" type="text/css" media="screen" charset="utf-8" />
8
-
9
- <link rel="stylesheet" href="css/common.css" type="text/css" media="screen" charset="utf-8" />
10
-
11
-
12
-
13
- <script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
14
-
15
- <script type="text/javascript" charset="utf-8" src="js/full_list.js"></script>
16
-
17
-
18
- <base id="base_target" target="_parent" />
19
- </head>
20
- <body>
21
- <script type="text/javascript" charset="utf-8">
22
- if (window.top.frames.main) {
23
- document.getElementById('base_target').target = 'main';
24
- document.body.className = 'frames';
25
- }
26
- </script>
27
- <div id="content">
28
- <h1 id="full_list_header">File List</h1>
29
- <div id="nav">
30
-
31
- <span><a target="_self" href="class_list.html">
32
- Classes
33
- </a></span>
34
-
35
- <span><a target="_self" href="method_list.html">
36
- Methods
37
- </a></span>
38
-
39
- <span><a target="_self" href="file_list.html">
40
- Files
41
- </a></span>
42
-
43
- </div>
44
- <div id="search">Search: <input type="text" /></div>
45
-
46
- <ul id="full_list" class="file">
47
-
48
-
49
- <li class="r1"><span class="object_link"><a href="index.html" title="README">README</a></a></li>
50
-
51
-
52
- </ul>
53
- </div>
54
- </body>
55
- </html>
@@ -1,28 +0,0 @@
1
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN"
2
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
3
-
4
- <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
5
- <head>
6
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
7
- <title>Documentation by YARD 0.8.6.1</title>
8
- </head>
9
- <script type="text/javascript" charset="utf-8">
10
- window.onload = function() {
11
- var match = window.location.hash.match(/^#!(.+)/);
12
- var name = 'index.html';
13
- if (match) {
14
- name = unescape(match[1]);
15
- }
16
- document.writeln('<frameset cols="20%,*">' +
17
- '<frame name="list" src="class_list.html" />' +
18
- '<frame name="main" src="' + name + '" />' +
19
- '</frameset>');
20
- }
21
- </script>
22
- <noscript>
23
- <frameset cols="20%,*">
24
- <frame name="list" src="class_list.html" />
25
- <frame name="main" src="index.html" />
26
- </frameset>
27
- </noscript>
28
- </html>
@@ -1,248 +0,0 @@
1
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
- <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4
- <head>
5
- <meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
6
- <title>
7
- File: README
8
-
9
- &mdash; Documentation by YARD 0.8.6.1
10
-
11
- </title>
12
-
13
- <link rel="stylesheet" href="css/style.css" type="text/css" charset="utf-8" />
14
-
15
- <link rel="stylesheet" href="css/common.css" type="text/css" charset="utf-8" />
16
-
17
- <script type="text/javascript" charset="utf-8">
18
- hasFrames = window.top.frames.main ? true : false;
19
- relpath = '';
20
- framesUrl = "frames.html#!" + escape(window.location.href);
21
- </script>
22
-
23
-
24
- <script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
25
-
26
- <script type="text/javascript" charset="utf-8" src="js/app.js"></script>
27
-
28
-
29
- </head>
30
- <body>
31
- <div id="header">
32
- <div id="menu">
33
-
34
- <a href="_index.html">Index</a> &raquo;
35
- <span class="title">File: README</span>
36
-
37
-
38
- <div class="noframes"><span class="title">(</span><a href="." target="_top">no frames</a><span class="title">)</span></div>
39
- </div>
40
-
41
- <div id="search">
42
-
43
- <a class="full_list_link" id="class_list_link"
44
- href="class_list.html">
45
- Class List
46
- </a>
47
-
48
- <a class="full_list_link" id="method_list_link"
49
- href="method_list.html">
50
- Method List
51
- </a>
52
-
53
- <a class="full_list_link" id="file_list_link"
54
- href="file_list.html">
55
- File List
56
- </a>
57
-
58
- </div>
59
- <div class="clear"></div>
60
- </div>
61
-
62
- <iframe id="search_frame"></iframe>
63
-
64
- <div id="content"><div id='filecontents'><h1>r509-ocsp-responder <a href="http://travis-ci.org/reaperhulk/r509-ocsp-responder"><img src="https://secure.travis-ci.org/reaperhulk/r509-ocsp-responder.png" alt="Build Status"></a></h1>
65
-
66
- <p>r509-ocsp-responder is an OCSP responder written using <a href="https://github.com/reaperhulk/r509">r509</a> and Sinatra to conform to RFC <a href="http://www.ietf.org/rfc/rfc2560.txt">2560</a> and <a href="http://www.ietf.org/rfc/rfc5019.txt">5019</a>.</p>
67
-
68
- <h2>Requirements</h2>
69
-
70
- <p>r509-ocsp-responder depends on <a href="https://github.com/reaperhulk/r509">r509</a>, <a href="http://redis.io">redis</a>, <a href="https://github.com/sirsean/r509-validity-redis">r509-validity-redis</a> (or another library that implements R509::Validity), <a href="http://sinatrarb.com">sinatra</a>, and <a href="https://github.com/sirsean/dependo">dependo</a>. Optionally, you can install <a href="https://github.com/sirsean/r509-ocsp-stats">r509-ocsp-stats</a> for stats collection. These must be installed as gems.</p>
71
-
72
- <h2>Basic Usage</h2>
73
-
74
- <h3>Build/Install</h3>
75
-
76
- <p>If you have cloned the repo you can build the gem with <code>rake gem:build</code> and install with <code>rake gem:install</code> . Alternately you can use a prebuilt gem by typing <code>gem install r509-ocsp-responder</code> .</p>
77
-
78
- <h3>Set Up config.ru</h3>
79
-
80
- <p>Save the below into a config.ru (or rackup) file</p>
81
-
82
- <pre class="code ruby"><code class="ruby"><span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>r509</span><span class='tstring_end'>&quot;</span></span>
83
- <span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>dependo</span><span class='tstring_end'>&quot;</span></span>
84
- <span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>'</span><span class='tstring_content'>r509/ocsp/responder/server</span><span class='tstring_end'>'</span></span>
85
-
86
- <span class='const'>Dependo</span><span class='op'>::</span><span class='const'>Registry</span><span class='lbracket'>[</span><span class='symbol'>:log</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='const'>Logger</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='const'>STDOUT</span><span class='rparen'>)</span>
87
-
88
- <span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>r509/validity/redis</span><span class='tstring_end'>&quot;</span></span>
89
- <span class='id identifier rubyid_require'>require</span> <span class='tstring'><span class='tstring_beg'>'</span><span class='tstring_content'>redis</span><span class='tstring_end'>'</span></span>
90
- <span class='kw'>begin</span>
91
- <span class='id identifier rubyid_gem'>gem</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>hiredis</span><span class='tstring_end'>&quot;</span></span>
92
- <span class='const'>Dependo</span><span class='op'>::</span><span class='const'>Registry</span><span class='lbracket'>[</span><span class='symbol'>:log</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_warn'>warn</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Loading redis with hiredis driver</span><span class='tstring_end'>&quot;</span></span>
93
- <span class='id identifier rubyid_redis'>redis</span> <span class='op'>=</span> <span class='const'>Redis</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='symbol'>:driver</span> <span class='op'>=&gt;</span> <span class='symbol'>:hiredis</span><span class='rparen'>)</span>
94
- <span class='kw'>rescue</span> <span class='const'>Gem</span><span class='op'>::</span><span class='const'>LoadError</span>
95
- <span class='const'>Dependo</span><span class='op'>::</span><span class='const'>Registry</span><span class='lbracket'>[</span><span class='symbol'>:log</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_warn'>warn</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Loading redis with standard ruby driver</span><span class='tstring_end'>&quot;</span></span>
96
- <span class='id identifier rubyid_redis'>redis</span> <span class='op'>=</span> <span class='const'>Redis</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
97
- <span class='kw'>end</span>
98
- <span class='const'>Dependo</span><span class='op'>::</span><span class='const'>Registry</span><span class='lbracket'>[</span><span class='symbol'>:validity_checker</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>Validity</span><span class='op'>::</span><span class='const'>Redis</span><span class='op'>::</span><span class='const'>Checker</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_redis'>redis</span><span class='rparen'>)</span>
99
-
100
-
101
- <span class='const'>R509</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>Responder</span><span class='op'>::</span><span class='const'>OCSPConfig</span><span class='period'>.</span><span class='id identifier rubyid_load_config'>load_config</span>
102
-
103
- <span class='const'>R509</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>Responder</span><span class='op'>::</span><span class='const'>OCSPConfig</span><span class='period'>.</span><span class='id identifier rubyid_print_config'>print_config</span>
104
-
105
- <span class='comment'># Uncomment the next two lines if you want to collect stats via r509-ocsp-stats
106
- </span><span class='comment'># require &quot;r509/ocsp/stats/redis&quot;
107
- </span><span class='comment'># Dependo::Registry[:stats] = R509::OCSP::Stats::Redis.new
108
- </span>
109
- <span class='id identifier rubyid_responder'>responder</span> <span class='op'>=</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>Responder</span><span class='op'>::</span><span class='const'>Server</span>
110
- <span class='id identifier rubyid_run'>run</span> <span class='id identifier rubyid_responder'>responder</span>
111
- </code></pre>
112
-
113
- <h3>Configure config.yaml</h3>
114
-
115
- <p>The config.yaml contains certificate authority nodes as well as options like copy_nonce (documented below). Each CA node has an arbitrary name like test_ca and contains a ca_cert and (optional) ocsp_cert node. If you want to sign OCSP responses directly from your root you&#39;ll set your config up like this:</p>
116
-
117
- <pre class="code yaml"><code class="yaml">copy_nonce: true
118
- cache_headers: true
119
- max_cache_age: 60
120
- certificate_authorities: {
121
- second_ca: {
122
- ca_cert: {
123
- cert: &quot;spec/fixtures/second_ca.cer&quot;,
124
- key: &quot;spec/fixtures/second_ca.key&quot;
125
- }
126
- }
127
- }
128
- </code></pre>
129
-
130
- <p>If you want to use an OCSP delegate</p>
131
-
132
- <pre class="code yaml"><code class="yaml">copy_nonce: true
133
- cache_headers: true
134
- max_cache_age: 60
135
- certificate_authorities: {
136
- test_ca: {
137
- ca_cert: {
138
- cert: &quot;spec/fixtures/test_ca.cer&quot;
139
- },
140
- ocsp_cert: {
141
- cert: &quot;spec/fixtures/test_ca_ocsp.cer&quot;,
142
- key: &quot;spec/fixtures/test_ca_ocsp.key&quot;
143
- }
144
- }
145
- }
146
- </code></pre>
147
-
148
- <p>Finally, if you&#39;re responding for multiple roots you specify them like so:</p>
149
-
150
- <pre class="code yaml"><code class="yaml">copy_nonce: true
151
- cache_headers: true
152
- max_cache_age: 60
153
- certificate_authorities: {
154
- test_ca: {
155
- ca_cert: {
156
- cert: &quot;spec/fixtures/test_ca.cer&quot;
157
- },
158
- ocsp_cert: {
159
- cert: &quot;spec/fixtures/test_ca_ocsp.cer&quot;,
160
- key: &quot;spec/fixtures/test_ca_ocsp.key&quot;
161
- }
162
- },
163
- second_ca: {
164
- ca_cert: {
165
- cert: &quot;spec/fixtures/second_ca.cer&quot;,
166
- key: &quot;spec/fixtures/second_ca.key&quot;
167
- }
168
- }
169
- }
170
- </code></pre>
171
-
172
- <h3>Configure Thin &amp; nginx</h3>
173
-
174
- <p>The example below is an example yaml config for thin. You will want to have as many servers as you have cores.</p>
175
-
176
- <pre class="code yaml"><code class="yaml">chdir: /var/www/r509-ocsp-responder
177
- rackup: /var/www/r509-ocsp-responder/config.ru
178
- socket: /var/run/r509-ocsp-responder.sock
179
- pid: /var/run/r509-ocsp-responder.pid
180
- servers: 2
181
- daemonize: true
182
- log: /var/log/r509-ocsp-responder.log
183
- </code></pre>
184
-
185
- <p>Since this config is just using sockets let&#39;s set up nginx as a reverse proxy for the thin instances. We can also use this as a caching layer if we choose to enable cache_headers.</p>
186
-
187
- <pre class="code ruby"><code class="ruby">proxy_cache_path /var/www/cache levels=1:2 keys_zone=ocsp:8m max_size=16m inactive=64m;
188
- proxy_temp_path /var/www/cache/tmp;
189
-
190
- upstream thin_ocsp_responder{
191
- server unix:/var/run/r509-ocsp-responder.0.sock fail_timeout=0;
192
- server unix:/var/run/r509-ocsp-responder.1.sock fail_timeout=0;
193
- }
194
- server {
195
- listen 80;
196
- server_name ocsp.r509.org;
197
-
198
- location / {
199
- proxy_pass http://thin_ocsp_responder;
200
- proxy_cache ocsp;
201
- proxy_cache_use_stale updating;
202
- }
203
- }
204
- </code></pre>
205
-
206
- <p>Within the location block you may also choose to add these directives:</p>
207
-
208
- <pre class="code ruby"><code class="ruby">proxy_cache_methods GET POST;
209
- proxy_cache_valid 200 302 1m;
210
- </code></pre>
211
-
212
- <p>If present, these lines will cause 200 and 302 responses to POST and GET to be cached for 1 minute. This allows you to cache POST requests (Note: Per the HTTP RFC POST requests should not be cached) in addition to the GET requests normally supported by the ruby layer. <strong>NOTE:</strong> The proxy_cache_valid values are lower priority than caching headers sent by the thin instances so if you do not keep the value here in sync with the max_cache_age config (or turn off cache_headers entirely and solely control it through nginx) you will have mismatched cache times. Additionally, this will cache nonced responses, which wastes RAM since they will not be re-used.</p>
213
-
214
- <p>If you would like to track the cache utilization you can also modify the nginx logging to track cache hits. There are a variety of ways this can be accomplisehd, but one of the simplest is simply to alter your log_format line to add <code>$upstream_cache_status</code>.</p>
215
-
216
- <h2>Options</h2>
217
-
218
- <p>This OCSP responder supports several optional flags (in addition to supporting an arbitrary number of responder certificates).</p>
219
-
220
- <ul>
221
- <li><p><strong>copy_nonce</strong> - (true/false) Sets whether to copy the nonce from request to response (if present)</p></li>
222
- <li><p><strong>cache_headers</strong> - (true/false) Sets whether to set HTTP headers for caching GET responses. Coupled with a reverse proxy you can cache responses for a finite period and vastly speed up the response time of your server (at the cost of response freshness). Nonced requests will not be cached. The performance benefit of caching can vary drastically depending on the mix of clients connecting to the OCSP responder.</p></li>
223
- <li><p><strong>max_cache_age</strong> - (integer) Sets the maximum age in <strong>seconds</strong> a response can be cached. At this time r509-ocsp-responder does not support cache invalidation so it is recommended to set this to a low value to reduce the time you may serve stale responses in the event of a revocation.</p></li>
224
- </ul>
225
-
226
- <h2>Signals</h2>
227
-
228
- <p>You can send a kill -USR2 signal to any running r509-ocsp-responder process to cause it to reload and print its config to the logs (provided your app server isn&#39;t trapping USR2 first).</p>
229
-
230
- <h2>Running Tests</h2>
231
-
232
- <p>You&#39;ll need rspec, rake, and rack-test to run the tests. With these gems in place run <code>rake spec</code></p>
233
-
234
- <h2>Future Ideas</h2>
235
-
236
- <ul>
237
- <li>Devise a mechanism for doing automated OCSP delegate certificate renewal</li>
238
- </ul>
239
- </div></div>
240
-
241
- <div id="footer">
242
- Generated on Tue Apr 16 13:57:16 2013 by
243
- <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
244
- 0.8.6.1 (ruby-1.9.3).
245
- </div>
246
-
247
- </body>
248
- </html>