roles/nginx: Enable OCSP stapling

Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:21:46 +03:00 · 2014-12-06 23:21:46 +03:00 · 6ccfdb99fa
parent f23f0713d2
commit 6ccfdb99fa
1 changed files with 5 additions and 0 deletions
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -14,6 +14,11 @@
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

+    # OCSP stapling...
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.4.4;
+
    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism: