From c8ca237ca77322c60e97de786b583b4479c66c8e Mon Sep 17 00:00:00 2001
From: root <root@static.106.81.4.46.clients.your-server.de>
Date: Mon, 18 Sep 2017 18:50:55 +0200
Subject: [PATCH] reverse: add ocsp stapling support

---
 reverse/rootfs/nginx/conf.d/ocsp.conf           | 4 ++++
 reverse/rootfs/nginx/sites-enabled/template_ssl | 1 +
 reverse/rootfs/usr/local/bin/startup            | 9 ++++++++-
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 reverse/rootfs/nginx/conf.d/ocsp.conf

diff --git a/reverse/rootfs/nginx/conf.d/ocsp.conf b/reverse/rootfs/nginx/conf.d/ocsp.conf
new file mode 100644
index 0000000..c76be2f
--- /dev/null
+++ b/reverse/rootfs/nginx/conf.d/ocsp.conf
@@ -0,0 +1,4 @@
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 84.200.69.80 84.200.70.40 valid=300s;
+resolver_timeout 5s;
diff --git a/reverse/rootfs/nginx/sites-enabled/template_ssl b/reverse/rootfs/nginx/sites-enabled/template_ssl
index d8d8206..180ac47 100644
--- a/reverse/rootfs/nginx/sites-enabled/template_ssl
+++ b/reverse/rootfs/nginx/sites-enabled/template_ssl
@@ -18,6 +18,7 @@ server {
   include /nginx/conf.d/ssl.conf;
   include /nginx/conf.d/headers.conf;
   include /nginx/conf.d/hsts.conf;
+  include /nginx/conf.d/ocsp.conf;
 
   include /nginx/path.d/<frontend_domain>/*.conf;
 
diff --git a/reverse/rootfs/usr/local/bin/startup b/reverse/rootfs/usr/local/bin/startup
index 7385a3a..bfccc0c 100644
--- a/reverse/rootfs/usr/local/bin/startup
+++ b/reverse/rootfs/usr/local/bin/startup
@@ -42,6 +42,9 @@ f_gen_sites_enabled() {
     if [ "${FRONTEND_HEADERS}" == "false" ]; then
         sed -i -e "s|include /nginx/conf.d/headers.conf|#include /nginx/conf.d/headers.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
     fi
+    if [ "${FRONTEND_OCSP}" == "false" ]; then
+        sed -i -e "s|include /nginx/conf.d/ocsp.conf|#include /nginx/conf.d/ocsp.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+    fi
 }
 
 f_gen_location() {
@@ -109,6 +112,7 @@ f_make_conf() {
     FRONTEND_AUTH=""
     FRONTEND_HSTS=true
     FRONTEND_HEADERS=true
+    FRONTEND_OCSP=true
 
     container_name=$1
     IFS=$'\n'
@@ -140,12 +144,15 @@ f_make_conf() {
                 "reverse.frontend.hsts")
                     FRONTEND_HSTS="$(echo ${label} | awk '{print $2}')"
                 ;;
+                "reverse.frontend.ocsp")
+                    FRONTEND_OCSP="$(echo ${label} | awk '{print $2}')"
+                ;;
                 "reverse.backend.port")
                     BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
                 ;;
             esac
         done
-        f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, hsts=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS} and port=${BACKEND_PORT}"
+        f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, headers=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS}, ocsp=${FRONTEND_OCSP} and port=${BACKEND_PORT}"
         f_gen_location ${container_name}
         f_gen_sites_enabled
         f_gen_certs ${container_name}