kayx23 commented on code in PR #10900: URL: https://github.com/apache/apisix/pull/10900#discussion_r1480962779
########## docs/en/latest/plugins/ocsp-stapling.md: ########## @@ -0,0 +1,133 @@ +--- +title: ocsp-stapling +keywords: + - Apache APISIX + - Plugin + - ocsp-stapling +description: This document contains information about the Apache APISIX ocsp-stapling Plugin. +--- + +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +--> + +## Description + +The `ocsp-stapling` Plugin dynamically sets the behavior of [OCSP stapling](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling) in Nginx. + +## Enable Plugin + +This Plugin is default disabled, modify the config file `./conf/config.yaml` to enable it. + +```yaml +plugins: + - ... + - ocsp-stapling +``` + +After modifying the config file, reload APISIX or send an hot-loaded HTTP request through the Admin API to take effect: + +```shell +curl http://127.0.0.1:9180/apisix/admin/plugins/reload -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT +``` + +## Attributes + +The attributes of this plugin are stored in specific field `ocsp_stapling` within SSL Resource. + +| Name | Type | Required | Default | Valid values | Description | +|----------------|----------------------|----------|---------------|--------------|-----------------------------------------------------------------------------------------------| +| enabled | boolean | False | false | | Like the `ssl_stapling` directive, enables or disables OCSP stapling feature. | +| skip_verify | boolean | False | false | | Like the `ssl_stapling_verify` directive, enables or disables verification of OCSP responses. | +| cache_ttl | integer | False | 3600 | >= 60 | Specifies the expired time of OCSP response cache. | + +## Example usage + +You should creates a SSL Resource first, and the certificate of the server certificate issuer should be known. Normarly the fullchain certificate is work fine. + +The SSL Resource Example like this: + +```shell +curl http://127.0.0.1:9180/apisix/admin/ssls/1 \ +-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "cert" : "'"$(cat server.crt)"'", + "key": "'"$(cat server.key)"'", + "snis": ["test.com"], + "ocsp_stapling": { + "enabled": true + } +}' +``` + +Once you have configured the SSL Resource as shown above, you can make a request as shown below: Review Comment: ```suggestion Next, establish a secure connection to the server, request the SSL/TLS session status, and display the output from the server: ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
