Skip to content

Commit e0b9765

Browse files
mrrobot47mrrobot47
committed
fix(nginx-proxy): Fix http2 duplication and add SSL_STAPLING control
- Fix 'protocol options redefined' warning by placing http2 directive once per server block instead of after each listen directive - Add SSL_STAPLING env var (default: on) to control OCSP stapling - Set SSL_STAPLING=off to suppress 'ssl_stapling ignored' warnings for certificates without OCSP responder URLs - Update README with SSL_STAPLING documentation
1 parent 409962c commit e0b9765

2 files changed

Lines changed: 8 additions & 7 deletions

File tree

nginx-proxy/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -139,6 +139,7 @@ deny all;
139139
| `VIRTUAL_PROTO` | Protocol (`http`, `https`, `uwsgi`, `fastcgi`) | `http` |
140140
| `HTTPS_METHOD` | `redirect`, `noredirect`, `nohttps` | `redirect` |
141141
| `SSL_POLICY` | SSL/TLS policy | `Mozilla-Modern` |
142+
| `SSL_STAPLING` | Enable OCSP stapling (`on` or `off`) | `on` |
142143
| `HSTS` | HSTS header value | `max-age=31536000` |
143144
| `CERT_NAME` | Custom certificate name | auto-detected |
144145
| `NETWORK_ACCESS` | `external` or `internal` | `external` |

nginx-proxy/nginx.tmpl

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -289,11 +289,10 @@ server {
289289
server {
290290
server_name _; # This is just an invalid value which will never trigger on a real hostname.
291291
listen 443 ssl default_server;
292-
http2 on;
293292
{{ if $enable_ipv6 }}
294293
listen [::]:443 ssl default_server;
295-
http2 on;
296294
{{ end }}
295+
http2 on;
297296

298297
root /etc/nginx/html;
299298

@@ -358,6 +357,9 @@ server {
358357
{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
359358
{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
360359

360+
{{/* Get the SSL_STAPLING defined by containers w/ the same vhost, falling back to "on" */}}
361+
{{ $ssl_stapling := or (first (groupByKeys $containers "Env.SSL_STAPLING")) "on" }}
362+
361363
{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
362364
{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
363365

@@ -393,11 +395,10 @@ server {
393395
server {
394396
server_name {{ $host }};
395397
listen 443 ssl {{ $default_server }};
396-
http2 on;
397398
{{ if $enable_ipv6 }}
398399
listen [::]:443 ssl {{ $default_server }};
399-
http2 on;
400400
{{ end }}
401+
http2 on;
401402

402403
{{ if eq $network_tag "internal" }}
403404
# Only allow traffic from internal clients
@@ -445,7 +446,7 @@ server {
445446
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
446447
{{ end }}
447448

448-
{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
449+
{{ if (and (eq $ssl_stapling "on") (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert))) }}
449450
ssl_stapling on;
450451
ssl_stapling_verify on;
451452
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
@@ -555,11 +556,10 @@ server {
555556
server {
556557
server_name {{ $host }};
557558
listen 443 ssl {{ $default_server }};
558-
http2 on;
559559
{{ if $enable_ipv6 }}
560560
listen [::]:443 ssl {{ $default_server }};
561-
http2 on;
562561
{{ end }}
562+
http2 on;
563563
return 500;
564564

565565
ssl_certificate /etc/nginx/certs/default.crt;

0 commit comments

Comments
 (0)