Created
August 15, 2018 11:41
-
-
Save weldpua2008/5e80a20a3da2871299389915bf3a8c4c to your computer and use it in GitHub Desktop.
PRE-CACHED ssl_stapling_file UNDER EACH CERTIFICATE, DRAMATICALLY IMPROVE STARTUP TIME OF NGINX
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| ### CREATE TO SUPPORT PRE-CACHED ssl_stapling_file UNDER EACH CERTIFICATE, DRAMATICALLY IMPROVE STARTUP TIME | |
| IFS=$'\n' | |
| CERT_ROOT_PATH="${1:-/etc/ssl/certs}" | |
| CERT_OCSP_CACHE="${CERT_ROOT_PATH}" | |
| DIR=$CERT_ROOT_PATH/*.crt | |
| CUR_TIMESTAMP="$(date '+%s')" | |
| cache_expiration_minutes=$((60*13)) | |
| if [ ! -d "$CERT_OCSP_CACHE" ]; then | |
| mkdir -p "$CERT_OCSP_CACHE" | |
| fi | |
| for file in $DIR; do | |
| CERT_PUBLIC_KEY="$file" | |
| CERT_TRUSTED_CHAIN=${CERT_PUBLIC_KEY/.crt/.pem} | |
| CERT_FILE_NAME=$(basename "$CERT_PUBLIC_KEY") | |
| # | |
| cache_filemtime=$(stat -c '%Y' "${CERT_OCSP_CACHE}/${CERT_FILE_NAME}.der" 2> /dev/null) | |
| if [[ "${CERT_FILE_NAME}" =~ "localhost" || "${CERT_FILE_NAME}" =~ "ca-bundle" ]]; then | |
| echo "Skipping Public Certificate: $CERT_PUBLIC_KEY, trusted key: $CERT_TRUSTED_CHAIN" | |
| elif [[ -f "${CERT_OCSP_CACHE}/${CERT_FILE_NAME}.der" ]] && [[ $((CUR_TIMESTAMP - cache_filemtime)) -le $((60*cache_expiration_minutes)) ]];then | |
| echo "Skipping Public Certificate: $CERT_PUBLIC_KEY, trusted key: $CERT_TRUSTED_CHAIN due not expired ${CERT_OCSP_CACHE}/${CERT_FILE_NAME}.der" | |
| else | |
| echo "Processing Public Certificate: $CERT_PUBLIC_KEY, trusted key: $CERT_TRUSTED_CHAIN" | |
| OSCP_URI=$(openssl x509 -in "$CERT_PUBLIC_KEY" -text | grep "OCSP - URI:" | cut -d: -f2,3) | |
| if [[ $? -eq 0 ]]; then | |
| GENERATE_OSCP_REPORT=$(openssl ocsp -no_nonce -respout "/tmp/${CERT_FILE_NAME}.der" -verify_other "${CERT_TRUSTED_CHAIN}" -issuer "${CERT_TRUSTED_CHAIN}" -cert "${CERT_PUBLIC_KEY}" -text -url "${OSCP_URI}") | |
| OSCP_HEADER=$(echo "${OSCP_URI}" |sed -E -e 's_.*://([^/@]*@)?([^/:]+).*_\2_') | |
| if [[ ! -e "/tmp/${CERT_FILE_NAME}.der" ]]; then | |
| GENERATE_OSCP_REPORT=$(openssl ocsp -no_nonce -respout "/tmp/${CERT_FILE_NAME}.der" -verify_other "${CERT_TRUSTED_CHAIN}" -issuer "${CERT_TRUSTED_CHAIN}" -cert "${CERT_PUBLIC_KEY}" -text -url "${OSCP_URI}" -header "HOST" "${OSCP_HEADER}") | |
| fi | |
| if [[ -e "/tmp/${CERT_FILE_NAME}.der" ]] && [[ $? -eq 0 ]]; then | |
| tee >(logger) <<< "Updating OSCP Cache for $CERT_FILE_NAME at $CERT_OCSP_CACHE/$CERT_FILE_NAME.der" | |
| SYNC_OSCP_CACHE=$(/bin/cp "/tmp/${CERT_FILE_NAME}.der" "${CERT_OCSP_CACHE}/") | |
| CLEANUP_OSCP_TMP_FILE=$(/bin/rm -f "/tmp/${CERT_FILE_NAME}.der") | |
| else | |
| tee >(logger) <<< "OSCP Cache has been failed to created for $CERT_FILE_NAME" | |
| fi | |
| fi | |
| fi | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment