OCSP Stapling (#533)

* [enh] Jinja templating * [enh] try to enable OCSP * typo * [mod] use jq (json parsing) * typo * well escaping "" :) * [fix] if 2d part condition * We need to include this for ynh_render_template to be available >.> ... * Simplify code * Gotta export domain too... * Remove quotes in variable itself.. * Replace previous code blocks by new code
2024-09-03 20:06:10 +02:00 · 2018-10-27 16:38:25 +02:00 · 2018-10-27 16:38:25 +02:00 · fa66a7b8c7
commit fa66a7b8c7
parent a16b6f08f5
2 changed files with 18 additions and 7 deletions
--- a/data/hooks/conf_regen/15-nginx
+++ b/data/hooks/conf_regen/15-nginx
@ -2,6 +2,8 @@

 set -e

+. /usr/share/yunohost/helpers.d/utils
+
 do_init_regen() {
  if [[ $EUID -ne 0 ]]; then
    echo "You must be root to run this script" 1>&2
@ -42,18 +44,18 @@ do_pre_regen() {
    mkdir -p "$mail_autoconfig_dir"

    # NGINX server configuration
-    cat server.tpl.conf \
-      | sed "s/{{ domain }}/${domain}/g" \
-      > "${nginx_conf_dir}/${domain}.conf"
-
-    cat autoconfig.tpl.xml \
-      | sed "s/{{ domain }}/${domain}/g" \
-      > "${mail_autoconfig_dir}/config-v1.1.xml"
+    export domain
+    export domain_cert_ca=$(yunohost domain cert-status $domain --json \
+                            | jq ".certificates.\"$domain\".CA_type" \
+                            | tr -d '"')

+    ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf"
+    ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml"

    [[ $main_domain != $domain ]] \
      && touch "${domain_conf_dir}/yunohost_local.conf" \
      || cp yunohost_local.conf "${domain_conf_dir}/yunohost_local.conf"
+
  done

  # remove old domain conf files
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@ -68,6 +68,15 @@ server {
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header X-Frame-Options "SAMEORIGIN";

+    {% if domain_cert_ca == "Let's Encrypt" %}
+    # OCSP settings
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/yunohost/certs/{{ domain }}/crt.pem;
+    resolver 127.0.0.1 127.0.1.1 valid=300s;
+    resolver_timeout 5s;
+    {% endif %}
+
    access_by_lua_file /usr/share/ssowat/access.lua;

    include conf.d/{{ domain }}.d/*.conf;