From e3902b6cb2409f13f935c5bc01f9c8d1a26e6db5 Mon Sep 17 00:00:00 2001
From: Philip Henning <mail@philip-henning.com>
Date: Fri, 12 Jul 2019 19:55:37 +0200
Subject: [PATCH] Add directives to use OCSP Stapling (#142)

---
 README.md                      | 3 +++
 defaults/main.yml              | 3 +++
 templates/http/default.conf.j2 | 9 +++++++++
 3 files changed, 15 insertions(+)

diff --git a/README.md b/README.md
index d0a9de0..99ee069 100644
--- a/README.md
+++ b/README.md
@@ -382,6 +382,9 @@ nginx_http_template:
       ciphers: HIGH:!aNULL:!MD5
       session_cache: none
       session_timeout: 5m
+      trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
+      stapling: true
+      stapling_verify: true
     web_server:
       locations:
         default:
diff --git a/defaults/main.yml b/defaults/main.yml
index 6277d74..dd183af 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -194,6 +194,9 @@ nginx_http_template:
       ciphers: HIGH:!aNULL:!MD5
       session_cache: none
       session_timeout: 5m
+      trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
+      stapling: true
+      stapling_verify: true
     web_server:
       locations:
         default:
diff --git a/templates/http/default.conf.j2 b/templates/http/default.conf.j2
index 4855394..e8a71e9 100644
--- a/templates/http/default.conf.j2
+++ b/templates/http/default.conf.j2
@@ -54,6 +54,9 @@ server {
     listen {{ item.value.port }} ssl;
     ssl_certificate {{ item.value.ssl.cert }};
     ssl_certificate_key {{ item.value.ssl.key }};
+{% if item.value.ssl.trusted_cert is defined %}
+    ssl_trusted_certificate {{ item.value.ssl.trusted_cert }};
+{% endif %}
 {% if item.value.ssl.dhparam is defined %}
     ssl_dhparam {{ item.value.ssl.dhparam }};
 {% endif %}
@@ -69,6 +72,12 @@ server {
 {% if item.value.ssl.session_timeout is defined and item.value.ssl.session_timeout %}
     ssl_session_timeout {{ item.value.ssl.session_timeout }};
 {% endif %}
+{% if item.value.ssl.stapling is defined and item.value.ssl.stapling %}
+    ssl_stapling on;
+{% endif %}
+{% if item.value.ssl.stapling_verify is defined and item.value.ssl.stapling_verify %}
+    ssl_stapling_verify on;
+{% endif %}
 {% else %}
     listen {{ item.value.port }};
 {% endif %}