From 66db1f8fd075a0160915814b2a9d945f123efcf4 Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Sat, 12 Sep 2020 01:32:03 +0200
Subject: [PATCH] add OCSP stapling to nginx.conf

It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.
---
 core/nginx/conf/nginx.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 46db324f..bea822a5 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -58,6 +58,8 @@ http {
       listen [::]:443 ssl http2;
 
       include /etc/nginx/tls.conf;
+      ssl_stapling on;
+      ssl_stapling_verify on;
       ssl_session_cache shared:SSLHTTP:50m;
       add_header Strict-Transport-Security 'max-age=31536000';