Nginxdevops~30 mins

OCSP stapling in Nginx - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Enable OCSP Stapling in Nginx

📖 Scenario: You manage a website using Nginx as the web server. To improve your website's security and speed, you want to enable OCSP stapling. This helps browsers quickly check if your SSL certificate is valid without contacting the certificate authority every time.

🎯 Goal: Configure Nginx to enable OCSP stapling for your SSL-enabled website.

📋 What You'll Learn

Create a basic Nginx server block with SSL enabled

Add configuration directives to enable OCSP stapling

Reload Nginx to apply the changes

Verify that OCSP stapling is enabled

💡 Why This Matters

🌍 Real World

OCSP stapling improves website security and speeds up SSL certificate validation by reducing the need for browsers to contact certificate authorities directly.

💼 Career

Knowing how to enable and verify OCSP stapling is important for DevOps engineers and system administrators managing secure web servers.

Progress0 / 4 steps

Create a basic Nginx server block with SSL

Create a file called default.conf with a server block listening on port 443. Use ssl_certificate set to /etc/ssl/certs/example.crt and ssl_certificate_key set to /etc/ssl/private/example.key. Include listen 443 ssl; inside the server block.

Nginx

# Your code here

Need a hint?

Use listen 443 ssl; to enable SSL on port 443. Specify the certificate and key paths exactly as given.

Add OCSP stapling configuration directives

Inside the existing server block, add the directives ssl_stapling on; and ssl_stapling_verify on;. Also add resolver 8.8.8.8 8.8.4.4 valid=300s; and resolver_timeout 5s; to enable OCSP stapling and DNS resolution.

Nginx

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.crt;
    ssl_certificate_key /etc/ssl/private/example.key;

    # Add OCSP stapling directives below
    # Your code here

    location / {
        root /var/www/html;
        index index.html;
    }
}

Need a hint?

Add the four directives exactly as shown inside the server block to enable OCSP stapling.

Reload Nginx to apply the configuration

Run the command sudo nginx -t to test the configuration syntax. Then run sudo systemctl reload nginx to reload Nginx with the new settings.

Nginx

# Run the following commands in the terminal:
# sudo nginx -t
# sudo systemctl reload nginx

Need a hint?

First test the config with sudo nginx -t. If it says syntax is ok, reload Nginx with sudo systemctl reload nginx.

Verify OCSP stapling is enabled

Run the command openssl s_client -connect example.com:443 -status and check the output for the line OCSP response: successful to confirm OCSP stapling is working.

Nginx

# Run the command below in the terminal to verify OCSP stapling
# Your code here

Need a hint?

Use openssl s_client -connect example.com:443 -status and look for OCSP response: successful in the output.