# ----------------------------------------------------------------------
# | Online Certificate Status Protocol stapling                        |
# ----------------------------------------------------------------------

# OCSP is a lightweight, only one record to help clients verify the validity of
# the server certificate.
# OCSP stapling allows the server to send its cached OCSP record during the TLS
# handshake, without the need of 3rd party OCSP responder.
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
# https://tools.ietf.org/html/rfc6066#section-8
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
#
# (1) Use Cloudflare 1.1.1.1 DNS resolver
#     https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/
#
# (2) Use Google 8.8.8.8 DNS resolver
#     https://developers.google.com/speed/public-dns/docs/using
#
# (3) Use OpenDNS resolver
#     https://use.opendns.com

ssl_stapling on;
ssl_stapling_verify on;

resolver
  # (1)
  1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
  # (2)
  8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]
  # (3)
  # 208.67.222.222 208.67.220.220 [2620:119:35::35] [2620:119:53::53]
  valid=60s;
resolver_timeout 2s;