1
0
mirror of https://github.com/thib8956/nginx-proxy synced 2024-12-26 04:26:31 +00:00

Merge pull request #1115 from kamermans/docs/ocsp-stapling-info

Added docs on enabling OCSP Stapling
This commit is contained in:
Jason Wilder 2018-03-28 20:50:15 -04:00 committed by GitHub
commit 556b3364fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -237,6 +237,15 @@ to identify the certificate to be used. For example, a certificate for `*.foo.c
could be named `shared.crt` and `shared.key`. A container running with `VIRTUAL_HOST=foo.bar.com`
and `CERT_NAME=shared` will then use this shared cert.
#### OCSP Stapling
To enable OCSP Stapling for a domain, `nginx-proxy` looks for a PEM certificate containing the trusted
CA certificate chain at `/etc/nginx/certs/<domain>.chain.pem`, where `<domain>` is the domain name in
the `VIRTUAL_HOST` directive. The format of this file is a concatenation of the public PEM CA
certificates starting with the intermediate CA most near the SSL certificate, down to the root CA. This is
often referred to as the "SSL Certificate Chain". If found, this filename is passed to the NGINX
[`ssl_trusted_certificate` directive](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate)
and OCSP Stapling is enabled.
#### How SSL Support Works
The default SSL cipher configuration is based on the [Mozilla intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) which