homelab/traefik
1
0
Fork 0
Code Activity

OCSP stapling

Browse source
This commit is contained in:
Alessandro Chitolina 2025-06-06 17:44:04 +02:00 committed by GitHub
parent 2949995abc
commit b39ee8ede5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
30 changed files with 1576 additions and 178 deletions
Download patch file Download diff file Expand all files Collapse all files

71
docs/content/https/ocsp.md Normal file
View file

@ -0,0 +1,71 @@
---
title: "Traefik OCSP Documentation"
description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
---
# OCSP
Check certificate status and perform OCSP stapling.
{: .subtitle }
## Overview
### OCSP Stapling
When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
including the default certificate, and staples the OCSP response to the TLS handshake.
The OCSP check is performed when the certificate is loaded,
and once every hour until it is successful at the halfway point before the update date.
### Caching
Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
When a certificate is no longer provided,
the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
The OCSP response is cached in memory and is not persisted between Traefik restarts.
## Configuration
### General
Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
It can be defined by using a file (YAML or TOML) or CLI arguments:
```yaml tab="File (YAML)"
## Static configuration
ocsp: {}
```
```toml tab="File (TOML)"
## Static configuration
[ocsp]
```
```bash tab="CLI"
## Static configuration
--ocsp=true
```
### Responder Overrides
The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
This is useful when you want to use a different OCSP responder.
```yaml tab="File (YAML)"
## Static configuration
ocsp:
responderOverrides:
foo: bar
```
```toml tab="File (TOML)"
## Static configuration
[ocsp]
[ocsp.responderOverrides]
foo = "bar"
```
```bash tab="CLI"
## Static configuration
-ocsp.responderoverrides.foo=bar
```

71
docs/content/reference/install-configuration/tls/ocsp.md Normal file
View file

@ -0,0 +1,71 @@
---
title: "Traefik OCSP Documentation"
description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
---
# OCSP
Check certificate status and perform OCSP stapling.
{: .subtitle }
## Overview
### OCSP Stapling
When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
including the default certificate, and staples the OCSP response to the TLS handshake.
The OCSP check is performed when the certificate is loaded,
and once every hour until it is successful at the halfway point before the update date.
### Caching
Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
When a certificate is no longer provided,
the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
The OCSP response is cached in memory and is not persisted between Traefik restarts.
## Configuration
### General
Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
It can be defined by using a file (YAML or TOML) or CLI arguments:
```yaml tab="File (YAML)"
## Static configuration
ocsp: {}
```
```toml tab="File (TOML)"
## Static configuration
[ocsp]
```
```bash tab="CLI"
## Static configuration
--ocsp=true
```
### Responder Overrides
The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
This is useful when you want to use a different OCSP responder.
```yaml tab="File (YAML)"
## Static configuration
ocsp:
responderOverrides:
foo: bar
```
```toml tab="File (TOML)"
## Static configuration
[ocsp]
[ocsp.responderOverrides]
foo = "bar"
```
```bash tab="CLI"
## Static configuration
-ocsp.responderoverrides.foo=bar
```

6
docs/content/reference/static-configuration/cli-ref.md
View file

@ -642,6 +642,12 @@ Prefix to use for metrics collection. (Default: ```traefik```)
`--metrics.statsd.pushinterval`:
StatsD push interval. (Default: ```10```)
`--ocsp`:
OCSP configuration. (Default: ```false```)
`--ocsp.responderoverrides.<name>`:
Defines a map of OCSP responders to replace for querying OCSP servers.
`--ping`:
Enable ping. (Default: ```false```)

6
docs/content/reference/static-configuration/env-ref.md
View file

@ -642,6 +642,12 @@ Prefix to use for metrics collection. (Default: ```traefik```)
`TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:
StatsD push interval. (Default: ```10```)
`TRAEFIK_OCSP`:
OCSP configuration. (Default: ```false```)
`TRAEFIK_OCSP_RESPONDEROVERRIDES_<NAME>`:
Defines a map of OCSP responders to replace for querying OCSP servers.
`TRAEFIK_PING`:
Enable ping. (Default: ```false```)

5
docs/content/reference/static-configuration/file.toml
View file

@ -609,3 +609,8 @@
[spiffe]
workloadAPIAddr = "foobar"
[ocsp]
[ocsp.responderOverrides]
name0 = "foobar"
name1 = "foobar"

4
docs/content/reference/static-configuration/file.yaml
View file

@ -675,3 +675,7 @@ core:
defaultRuleSyntax: foobar
spiffe:
workloadAPIAddr: foobar
ocsp:
responderOverrides:
name0: foobar
name1: foobar