Configuring NGINX and OCSP Dedicated Private Server

Question

The scenario I have is as follows:

• 1 Client doing REST calls
• 1 NGINX server doing mTLS
• 1 Backend service

NGINX:

• Listens on 443
• Does mTLS

Client:

• Using curl: curl -v --key client.key --cert client.crt --cacert rootCA.crt https://localhost

Backend service:

• A basic NodeJS server

I want to enforce OCSP in NGINX that for every call the clients are making and they are presenting their certificates for mTLS, I want NGINX to check my own OCSP server that the client certificates are not revoked.

My NGINX conf looks like this:

events {
  worker_connections 768;
}
http {

  server {
    listen 443 ssl;
    listen [::]:443 ssl http2;  # Enable HTTP/2 for secure connections


    ssl_certificate /etc/nginx/nginx.crt;
    ssl_certificate_key /etc/nginx/nginx.key;


    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";


    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/rootCA.crt;  # Path to trusted OCSP responder certificate
    resolver 127.0.0.1 8.8.8.8;  # DNS servers to resolve OCSP responder hostname
    ssl_stapling_responder http://172.17.0.2:8081;  # OCSP responder URL


    ssl_client_certificate /etc/nginx/rootCA.crt;
    ssl_verify_client optional;
    ssl_verify_depth 1;


    location / {
        if ($ssl_client_verify != "SUCCESS") {
            return 403;
        }


      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_pass http://172.17.0.2:8080;

      proxy_read_timeout 60s;
      proxy_connect_timeout 60s;
    }
  }
}

My simple stupid backend service looks like this:

const http = require('http')

const server = http.createServer((request, response) => {
    let body = '';
    request.on('data', chunk => {
        body += chunk.toString();
    });
    request.on('end', () => {
        console.log(body)
        console.log(request.headers)
        console.log(request.path)
        console.log(request.url)
        console.log(JSON.stringify(JSON.parse(body ? body : '{}')))
        response.writeHead(200, {
            'Content-Type': 'application/ocsp-response',
        });
        response.end('Ok');
    });
});

const PORT = 8081;
server.listen(PORT, () => {
    console.log(`OCSP responder server is running on port ${PORT}`);
});

const server2 = http.createServer((req, res) => {
    res.statusCode = 200;
    res.setHeader('Content-Type', 'application/json');
    res.write(JSON.stringify({ message: "ok" }));
    res.end();
});

server2.listen(8080, () => {
    console.log('Server listening on port 8080');
});

I haven't got to the part to implement the OCSP backend.

With this settings in NGINX I can't make it make and OCSP call on my backend service. There are no logs in the access or error log, no trace it would try to make an OCSP call.

Any clue on what other settings I can make?