roles/nginx: Don't send OCSP responses for hosts using self-signed certs

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00 · 2015-02-26 17:38:30 +03:00 · d08a37526f
commit d08a37526f
parent cd65475d0d
1 changed files with 3 additions and 0 deletions
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -14,10 +14,13 @@
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

+{# don't use OCSP stapling if we're using a self-signed cert #}
+{% if tls_cert is defined %}
    # OCSP stapling...
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.4.4 8.8.8.8;
+{% endif %}

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous