From: Grant Slater <git@firefishy.com>
Date: Thu, 22 Aug 2019 19:31:18 +0000 (+0100)
Subject: nginx: Add ssl_stapling validation
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/cdbed3e7ad8104a1b21bc88e446fd87465182638?ds=sidebyside

nginx: Add ssl_stapling validation
---

diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb
index 4b2c15fa0..ae0d8bd41 100644
--- a/cookbooks/nginx/templates/default/nginx.conf.erb
+++ b/cookbooks/nginx/templates/default/nginx.conf.erb
@@ -40,6 +40,11 @@ http {
     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout 30m;
     ssl_stapling on;
+
+    # Validate the stapling response is signed by a trusted certificate
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
     resolver <%= @resolvers.join(" ") %>;
     resolver_timeout 5s;