server-configs-nginx/h5bp/ssl/ocsp_stapling.conf

35 lines
1.2 KiB
Nginx Configuration File
Raw Normal View History

2018-11-25 19:13:33 +01:00
# ----------------------------------------------------------------------
# | Online Certificate Status Protocol stapling |
# ----------------------------------------------------------------------
# OCSP is a lightweight, only one record to help clients verify the
# validity of the server certificate.
2019-05-14 19:02:21 +02:00
# OCSP stapling allows the server to send its cached OCSP record during
# the TLS handshake, without the need of 3rd party OCSP responder.
2018-11-25 19:13:33 +01:00
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
# https://tools.ietf.org/html/rfc6066#section-8
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
#
# (1) Use Cloudflare 1.1.1.1 DNS resolver
# https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/
#
# (2) Use Google 8.8.8.8 DNS resolver
# https://developers.google.com/speed/public-dns/docs/using
#
# (3) Use Dyn DNS resolver
# https://help.dyn.com/internet-guide-setup/
2018-11-25 19:13:33 +01:00
ssl_stapling on;
ssl_stapling_verify on;
resolver
# (1)
1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# (2)
8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]
# (3)
# 216.146.35.35 216.146.36.36
valid=60s;
2018-11-25 19:13:33 +01:00
resolver_timeout 2s;