roles/nginx: Allow custom resolvers for TLS stapling

Allows to specify custom DNS resolvers for TLS stapling, with a default
of Cloudflare's public DNS servers.
This commit is contained in:
Alan Orth 2018-04-30 18:04:17 +03:00
parent bda95b6a1c
commit 0a39051a95
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
2 changed files with 5 additions and 6 deletions

View File

@ -16,6 +16,10 @@ nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2' nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
# install certbot + dependencies? # install certbot + dependencies?
# True unless you're in development and using "localhost" + snakeoil certs # True unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: True use_letsencrypt: True

View File

@ -35,12 +35,7 @@
# OCSP stapling... # OCSP stapling...
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
{% if linode_id is defined %} resolver {{ nginx_ssl_stapling_resolver }};
# use Linode internal DNS
resolver 139.162.139.5 139.162.130.5 [2a01:7e01::5] [2a01:7e01::6];
{% else %}
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
{% endif %} {# end: linode_id #}
{% endif %} {# end: use_letsencrypt #} {% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and