Enable OCSP stapling for the federation port
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057 Not sure if this is beneficial though.
This commit is contained in:
parent
57a6a98a50
commit
e6afa05f7b
@ -223,6 +223,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:1
|
|||||||
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
||||||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
||||||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
||||||
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"
|
||||||
|
|
||||||
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
||||||
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
||||||
@ -391,7 +392,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
|||||||
#
|
#
|
||||||
# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
|
# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
|
||||||
# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling
|
# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling
|
||||||
#
|
#
|
||||||
# Learn more about what it is here:
|
# Learn more about what it is here:
|
||||||
# - https://en.wikipedia.org/wiki/OCSP_stapling
|
# - https://en.wikipedia.org/wiki/OCSP_stapling
|
||||||
# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
|
# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
|
||||||
|
@ -242,6 +242,12 @@ server {
|
|||||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
|
||||||
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
Loading…
Reference in New Issue
Block a user