mirror of
https://github.com/thib8956/nginx-proxy
synced 2024-11-22 11:56:31 +00:00
Merge pull request #574 from teohhanhui/ocsp-stapling-chain
Enable OCSP stapling if certificate trust chain is provided
This commit is contained in:
commit
f05f7a0ff9
@ -205,7 +205,7 @@ and `CERT_NAME=shared` will then use this shared cert.
|
|||||||
The SSL cipher configuration is based on the [Mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which
|
The SSL cipher configuration is based on the [Mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which
|
||||||
should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
|
should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
|
||||||
Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security.
|
Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security.
|
||||||
The configuration also enables HSTS, PFS, and SSL session caches. Currently TLS 1.0, 1.1 and 1.2
|
The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches. Currently TLS 1.0, 1.1 and 1.2
|
||||||
are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being
|
are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being
|
||||||
included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27,
|
included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27,
|
||||||
IE < 11, Safari < 7, iOS < 5, Android Browser < 5.
|
IE < 11, Safari < 7, iOS < 5, Android Browser < 5.
|
||||||
|
@ -18,6 +18,13 @@ fi
|
|||||||
# Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default
|
# Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default
|
||||||
/app/generate-dhparam.sh $DHPARAM_BITS
|
/app/generate-dhparam.sh $DHPARAM_BITS
|
||||||
|
|
||||||
|
# Compute the DNS resolvers for use in the templates
|
||||||
|
export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g')
|
||||||
|
if [ "x$RESOLVERS" = "x" ]; then
|
||||||
|
echo "Warning: unable to determine DNS resolvers for nginx" >&2
|
||||||
|
unset RESOLVERS
|
||||||
|
fi
|
||||||
|
|
||||||
# If the user has run the default command and the socket doesn't exist, fail
|
# If the user has run the default command and the socket doesn't exist, fail
|
||||||
if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then
|
if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then
|
||||||
exit 1
|
exit 1
|
||||||
|
10
nginx.tmpl
10
nginx.tmpl
@ -58,6 +58,10 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
|||||||
|
|
||||||
access_log off;
|
access_log off;
|
||||||
|
|
||||||
|
{{ if $.Env.RESOLVERS }}
|
||||||
|
resolver {{ $.Env.RESOLVERS }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
{{ if (exists "/etc/nginx/proxy.conf") }}
|
{{ if (exists "/etc/nginx/proxy.conf") }}
|
||||||
include /etc/nginx/proxy.conf;
|
include /etc/nginx/proxy.conf;
|
||||||
{{ else }}
|
{{ else }}
|
||||||
@ -198,6 +202,12 @@ server {
|
|||||||
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
|
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if (exists (printf "/etc/nginx/certs/%s.chain.crt" $cert)) }}
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
{{ if (ne $https_method "noredirect") }}
|
{{ if (ne $https_method "noredirect") }}
|
||||||
add_header Strict-Transport-Security "max-age=31536000";
|
add_header Strict-Transport-Security "max-age=31536000";
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
Loading…
Reference in New Issue
Block a user