Add directives to use OCSP Stapling (#142)

README.md

@@ -382,6 +382,9 @@ nginx_http_template:
       ciphers: HIGH:!aNULL:!MD5
       session_cache: none
       session_timeout: 5m
+      trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
+      stapling: true
+      stapling_verify: true
     web_server:
       locations:
         default:

defaults/main.yml

@@ -194,6 +194,9 @@ nginx_http_template:
       ciphers: HIGH:!aNULL:!MD5
       session_cache: none
       session_timeout: 5m
+      trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
+      stapling: true
+      stapling_verify: true
     web_server:
       locations:
         default:

templates/http/default.conf.j2

@@ -54,6 +54,9 @@ server {
     listen {{ item.value.port }} ssl;
     ssl_certificate {{ item.value.ssl.cert }};
     ssl_certificate_key {{ item.value.ssl.key }};
+{% if item.value.ssl.trusted_cert is defined %}
+    ssl_trusted_certificate {{ item.value.ssl.trusted_cert }};
+{% endif %}
 {% if item.value.ssl.dhparam is defined %}
     ssl_dhparam {{ item.value.ssl.dhparam }};
 {% endif %}
@@ -69,6 +72,12 @@ server {
 {% if item.value.ssl.session_timeout is defined and item.value.ssl.session_timeout %}
     ssl_session_timeout {{ item.value.ssl.session_timeout }};
 {% endif %}
+{% if item.value.ssl.stapling is defined and item.value.ssl.stapling %}
+    ssl_stapling on;
+{% endif %}
+{% if item.value.ssl.stapling_verify is defined and item.value.ssl.stapling_verify %}
+    ssl_stapling_verify on;
+{% endif %}
 {% else %}
     listen {{ item.value.port }};
 {% endif %}