From 0a39051a953bb90140799977403626946074e036 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Mon, 30 Apr 2018 18:04:17 +0300 Subject: [PATCH] roles/nginx: Allow custom resolvers for TLS stapling Allows to specify custom DNS resolvers for TLS stapling, with a default of Cloudflare's public DNS servers. --- roles/nginx/defaults/main.yml | 4 ++++ roles/nginx/templates/https.j2 | 7 +------ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index c34521a..31074af 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -16,6 +16,10 @@ nginx_ssl_buffer_size: 1400 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2' +# DNS resolvers for OCSP stapling (default to Cloudflare public DNS) +# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling +nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' + # install certbot + dependencies? # True unless you're in development and using "localhost" + snakeoil certs use_letsencrypt: True diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2 index 29c490d..91de324 100644 --- a/roles/nginx/templates/https.j2 +++ b/roles/nginx/templates/https.j2 @@ -35,12 +35,7 @@ # OCSP stapling... ssl_stapling on; ssl_stapling_verify on; - {% if linode_id is defined %} - # use Linode internal DNS - resolver 139.162.139.5 139.162.130.5 [2a01:7e01::5] [2a01:7e01::6]; - {% else %} - resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; - {% endif %} {# end: linode_id #} + resolver {{ nginx_ssl_stapling_resolver }}; {% endif %} {# end: use_letsencrypt #} # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and