Enable OCSP Stapling

This commit is contained in:
sakkiii 2021-05-15 15:57:05 +05:30
parent df99c338d3
commit c05021640d
9 changed files with 61 additions and 0 deletions

View File

@ -279,6 +279,18 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
matrix_nginx_proxy_floc_optout_enabled: true matrix_nginx_proxy_floc_optout_enabled: true
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
# OCSP stapling can provide a performance boost of up to 30%
# nginx web server supports OCSP stapling since version 1.3.7.
#
# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
#
# Learn more about what it is here:
# - https://en.wikipedia.org/wiki/OCSP_stapling
# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
matrix_nginx_proxy_ocsp_stapling_enabled: true
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers # Specifies the SSL configuration that should be used for the SSL protocols and ciphers
# This is based on the Mozilla Server Side TLS Recommended configurations. # This is based on the Mozilla Server Side TLS Recommended configurations.
# #

View File

@ -10,6 +10,12 @@
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -7,6 +7,12 @@
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
{% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -11,6 +11,12 @@
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -10,6 +10,12 @@
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -21,6 +21,12 @@
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %}
location /.well-known/matrix { location /.well-known/matrix {
root {{ matrix_static_files_base_path }}; root {{ matrix_static_files_base_path }};
{# {#

View File

@ -10,6 +10,13 @@
# add_header X-Content-Type-Options nosniff; # add_header X-Content-Type-Options nosniff;
# add_header X-Frame-Options SAMEORIGIN; # add_header X-Frame-Options SAMEORIGIN;
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
{% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_floc_optout_enabled %} {% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}

View File

@ -10,6 +10,12 @@
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -5,6 +5,12 @@
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}