OCSP stapling

docs/content/reference/install-configuration/tls/ocsp.md

@@ -0,0 +1,71 @@
+---
+title: "Traefik OCSP Documentation"
+description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
+---
+
+# OCSP
+
+Check certificate status and perform OCSP stapling.
+{: .subtitle }
+
+## Overview
+
+### OCSP Stapling
+
+When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
+including the default certificate, and staples the OCSP response to the TLS handshake.
+The OCSP check is performed when the certificate is loaded,
+and once every hour until it is successful at the halfway point before the update date.
+
+### Caching
+
+Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
+When a certificate is no longer provided,
+the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
+The OCSP response is cached in memory and is not persisted between Traefik restarts.
+
+## Configuration
+
+### General
+
+Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments:
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp: {}
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+```
+
+```bash tab="CLI"
+## Static configuration
+--ocsp=true
+```
+
+### Responder Overrides
+
+The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
+This is useful when you want to use a different OCSP responder.
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp:
+  responderOverrides:
+    foo: bar
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+  [ocsp.responderOverrides]
+    foo = "bar"
+```
+
+```bash tab="CLI"
+## Static configuration
+-ocsp.responderoverrides.foo=bar
+```

docs/content/reference/static-configuration/cli-ref.md

@@ -642,6 +642,12 @@ Prefix to use for metrics collection. (Default: ```traefik```)
 `--metrics.statsd.pushinterval`:  
 StatsD push interval. (Default: ```10```)
 
+`--ocsp`:  
+OCSP configuration. (Default: ```false```)
+
+`--ocsp.responderoverrides.<name>`:  
+Defines a map of OCSP responders to replace for querying OCSP servers.
+
 `--ping`:  
 Enable ping. (Default: ```false```)
 

docs/content/reference/static-configuration/env-ref.md

@@ -642,6 +642,12 @@ Prefix to use for metrics collection. (Default: ```traefik```)
 `TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
 StatsD push interval. (Default: ```10```)
 
+`TRAEFIK_OCSP`:  
+OCSP configuration. (Default: ```false```)
+
+`TRAEFIK_OCSP_RESPONDEROVERRIDES_<NAME>`:  
+Defines a map of OCSP responders to replace for querying OCSP servers.
+
 `TRAEFIK_PING`:  
 Enable ping. (Default: ```false```)
 

docs/content/reference/static-configuration/file.toml

@@ -609,3 +609,8 @@
 
 [spiffe]
   workloadAPIAddr = "foobar"
+
+[ocsp]
+  [ocsp.responderOverrides]
+    name0 = "foobar"
+    name1 = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -675,3 +675,7 @@ core:
   defaultRuleSyntax: foobar
 spiffe:
   workloadAPIAddr: foobar
+ocsp:
+  responderOverrides:
+    name0: foobar
+    name1: foobar