feat(www): enable OCSP stapling, fixes #364

www/conf/conf.d/ssl.conf → www/conf/conf.d/ssl.conf.var

@@ -3,3 +3,8 @@ ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers off;
 ssl_dhparam /etc/nginx/dhparam.pem;
+
+resolver 127.0.0.11;  # OCSP request needs DNS resolution. Use Docker's embedded DNS, forwarded to host.
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate ${CERT_PATH}desec.${DESECSTACK_DOMAIN}.cer;

www/conf/envreplace.sh

@@ -6,7 +6,7 @@ then
     export PROD_ONLY='#'
 fi
 
-for file in /etc/nginx/sites-available/*.var; do
+for file in /etc/nginx/sites-available/*.var /etc/nginx/conf.d/*.var; do
     # we only replace occurrences of the variables specified below as first argument
     (envsubst '$DESECSTACK_IPV4_REAR_PREFIX16' |
     envsubst '$DESECSTACK_DOMAIN' |