roles/nginx: Allow custom resolvers for TLS stapling

Allows to specify custom DNS resolvers for TLS stapling, with a default of Cloudflare's public DNS servers.
2018-04-30 18:04:17 +03:00 · 2018-04-30 18:04:17 +03:00 · 0a39051a95
parent bda95b6a1c
commit 0a39051a95
2 changed files with 5 additions and 6 deletions
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -16,6 +16,10 @@ nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'

+# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
+# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
+nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
+
 # install certbot + dependencies?
 # True unless you're in development and using "localhost" + snakeoil certs
 use_letsencrypt: True
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -35,12 +35,7 @@
    # OCSP stapling...
    ssl_stapling on;
    ssl_stapling_verify on;
-    {% if linode_id is defined %}
-    # use Linode internal DNS
-    resolver 139.162.139.5 139.162.130.5 [2a01:7e01::5] [2a01:7e01::6];
-    {% else %}
-    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
-    {% endif %} {# end: linode_id #}
+    resolver {{ nginx_ssl_stapling_resolver }};
    {% endif %} {# end: use_letsencrypt #}

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and