Fix OCSP-stapling-related errors due to missing resolver
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
This commit is contained in:
parent
595c8c1af4
commit
4880dcceb0
@ -289,7 +289,7 @@ matrix_nginx_proxy_floc_optout_enabled: true
|
|||||||
|
|
||||||
# HSTS Preloading Enable
|
# HSTS Preloading Enable
|
||||||
#
|
#
|
||||||
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
||||||
# indicates a willingness to be “preloaded” into browsers:
|
# indicates a willingness to be “preloaded” into browsers:
|
||||||
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
||||||
# For more information visit:
|
# For more information visit:
|
||||||
@ -357,6 +357,18 @@ matrix_nginx_proxy_self_check_validate_certificates: true
|
|||||||
# so we default to not following redirects as well.
|
# so we default to not following redirects as well.
|
||||||
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
|
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
|
||||||
|
|
||||||
|
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
|
||||||
|
#
|
||||||
|
# Otherwise, we get warnings like this:
|
||||||
|
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
|
||||||
|
#
|
||||||
|
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
|
||||||
|
#
|
||||||
|
# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.
|
||||||
|
# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.
|
||||||
|
# It might also be that no such warnings occur when not running in a container.
|
||||||
|
matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"
|
||||||
|
|
||||||
# By default, this playbook automatically retrieves and auto-renews
|
# By default, this playbook automatically retrieves and auto-renews
|
||||||
# free SSL certificates from Let's Encrypt.
|
# free SSL certificates from Let's Encrypt.
|
||||||
#
|
#
|
||||||
@ -416,7 +428,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
|||||||
# Nginx Optimize SSL Session
|
# Nginx Optimize SSL Session
|
||||||
#
|
#
|
||||||
# ssl_session_cache:
|
# ssl_session_cache:
|
||||||
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
||||||
# and thus can improve the performance of application.
|
# and thus can improve the performance of application.
|
||||||
# - Default session cache is not optimal as it can be used by only one worker process
|
# - Default session cache is not optimal as it can be used by only one worker process
|
||||||
# and can cause memory fragmentation. It is much better to use shared cache.
|
# and can cause memory fragmentation. It is much better to use shared cache.
|
||||||
@ -425,7 +437,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
|||||||
# ssl_session_timeout:
|
# ssl_session_timeout:
|
||||||
# - Nginx by default it is set to 5 minutes which is very low.
|
# - Nginx by default it is set to 5 minutes which is very low.
|
||||||
# should be like 4h or 1d but will require you to increase the size of cache.
|
# should be like 4h or 1d but will require you to increase the size of cache.
|
||||||
# - Learn More:
|
# - Learn More:
|
||||||
# https://github.com/certbot/certbot/issues/6903
|
# https://github.com/certbot/certbot/issues/6903
|
||||||
# https://github.com/mozilla/server-side-tls/issues/198
|
# https://github.com/mozilla/server-side-tls/issues/198
|
||||||
#
|
#
|
||||||
|
@ -9,13 +9,13 @@
|
|||||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
add_header Permissions-Policy interest-cohort=() always;
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
{% else %}
|
{% else %}
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
|
||||||
@ -77,13 +77,13 @@ server {
|
|||||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -4,6 +4,11 @@
|
|||||||
#
|
#
|
||||||
# Thus, we ensure a larger bucket size value is used.
|
# Thus, we ensure a larger bucket size value is used.
|
||||||
server_names_hash_bucket_size 64;
|
server_names_hash_bucket_size 64;
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_http_level_resolver %}
|
||||||
|
resolver {{ matrix_nginx_proxy_http_level_resolver }};
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
Loading…
Reference in New Issue
Block a user