X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/0d8030b3a7ec9eaa6bc96c7dd39d835a00a7ace0..cdbed3e7ad8104a1b21bc88e446fd87465182638:/cookbooks/nginx/templates/default/nginx.conf.erb

diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb
index 4b2c15fa0..ae0d8bd41 100644
--- a/cookbooks/nginx/templates/default/nginx.conf.erb
+++ b/cookbooks/nginx/templates/default/nginx.conf.erb
@@ -40,6 +40,11 @@ http {
     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout 30m;
     ssl_stapling on;
+
+    # Validate the stapling response is signed by a trusted certificate
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
     resolver <%= @resolvers.join(" ") %>;
     resolver_timeout 5s;