2018-11-25 19:13:33 +01:00
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
# | Online Certificate Status Protocol stapling |
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
# OCSP is a lightweight, only one record to help clients verify the
|
|
|
|
# validity of the server certificate.
|
2019-05-14 19:02:21 +02:00
|
|
|
# OCSP stapling allows the server to send its cached OCSP record during
|
|
|
|
# the TLS handshake, without the need of 3rd party OCSP responder.
|
2018-11-25 19:13:33 +01:00
|
|
|
#
|
|
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
|
|
|
|
# https://tools.ietf.org/html/rfc6066#section-8
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
|
2019-05-15 02:07:47 +02:00
|
|
|
#
|
|
|
|
# (1) Use Cloudflare 1.1.1.1 DNS resolver
|
|
|
|
# https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/
|
|
|
|
#
|
|
|
|
# (2) Use Google 8.8.8.8 DNS resolver
|
|
|
|
# https://developers.google.com/speed/public-dns/docs/using
|
|
|
|
#
|
|
|
|
# (3) Use Dyn DNS resolver
|
|
|
|
# https://help.dyn.com/internet-guide-setup/
|
2018-11-25 19:13:33 +01:00
|
|
|
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
|
2019-05-15 02:07:47 +02:00
|
|
|
resolver
|
|
|
|
# (1)
|
|
|
|
1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
|
|
|
|
# (2)
|
|
|
|
8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]
|
|
|
|
# (3)
|
|
|
|
# 216.146.35.35 216.146.36.36
|
|
|
|
valid=60s;
|
2018-11-25 19:13:33 +01:00
|
|
|
resolver_timeout 2s;
|