thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2024-11-22 03:46:29 +00:00
Code Issues Releases Wiki Activity

Merge pull request #574 from teohhanhui/ocsp-stapling-chain

Browse Source 
Enable OCSP stapling if certificate trust chain is provided
This commit is contained in:
Jason Wilder 2017-08-16 11:53:17 -06:00 committed by GitHub
commit f05f7a0ff9
3 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -205,7 +205,7 @@ and `CERT_NAME=shared` will then use this shared cert.
The SSL cipher configuration is based on the [Mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which The SSL cipher configuration is based on the [Mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which
should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security. Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security.
The configuration also enables HSTS, PFS, and SSL session caches. Currently TLS 1.0, 1.1 and 1.2 The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches. Currently TLS 1.0, 1.1 and 1.2
are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being
included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27, included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27,
IE < 11, Safari < 7, iOS < 5, Android Browser < 5. IE < 11, Safari < 7, iOS < 5, Android Browser < 5.

7
docker-entrypoint.sh
View File

@ -18,6 +18,13 @@ fi
# Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default
/app/generate-dhparam.sh $DHPARAM_BITS /app/generate-dhparam.sh $DHPARAM_BITS
# Compute the DNS resolvers for use in the templates
export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g')
if [ "x$RESOLVERS" = "x" ]; then
echo "Warning: unable to determine DNS resolvers for nginx" >&2
unset RESOLVERS
fi
# If the user has run the default command and the socket doesn't exist, fail # If the user has run the default command and the socket doesn't exist, fail
if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then
exit 1 exit 1

10
nginx.tmpl
View File

@ -58,6 +58,10 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
access_log off; access_log off;
{{ if $.Env.RESOLVERS }}
resolver {{ $.Env.RESOLVERS }};
{{ end }}
{{ if (exists "/etc/nginx/proxy.conf") }} {{ if (exists "/etc/nginx/proxy.conf") }}
include /etc/nginx/proxy.conf; include /etc/nginx/proxy.conf;
{{ else }} {{ else }}
@ -198,6 +202,12 @@ server {
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
{{ end }} {{ end }}
{{ if (exists (printf "/etc/nginx/certs/%s.chain.crt" $cert)) }}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
{{ end }}
{{ if (ne $https_method "noredirect") }} {{ if (ne $https_method "noredirect") }}
add_header Strict-Transport-Security "max-age=31536000"; add_header Strict-Transport-Security "max-age=31536000";
{{ end }} {{ end }}