-
Notifications
You must be signed in to change notification settings - Fork 742
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCSP Stapling added #798
base: main
Are you sure you want to change the base?
OCSP Stapling added #798
Conversation
@adityapatadia Thank you for the contribution 👍 I understand how enabling OSCP stapling can be useful but I would like to understand further why you are proposing this as a default for all Discourse instances that uses |
@@ -125,6 +125,10 @@ hooks: | |||
to: | | |||
ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; | |||
ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME_ecc.key; | |||
ssl_stapling on; | |||
ssl_stapling_verify on; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to Nginx's doc,
For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.
Are we missing the ssl_trusted_certificate
directive for this to work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not required.
That’s because all users who use docker will benefit from increased speed.
We expect most users will be using lets encrypt and it’s best to have OCSP.
If there is not a good reason to disable it, it should be enabled for all.
Regards,
Aditya Patadia
…On Thu, 9 May 2024 at 1:05 PM, Alan Guo Xiang Tan ***@***.***> wrote:
@adityapatadia <https://github.com/adityapatadia> Thank you for the
contribution 👍 I understand how enabling OSCP stapling can be useful but I
would like to understand further why you are proposing this as a default
for all Discourse instances that uses web.letsencrypt.ssl.template.yml.
—
Reply to this email directly, view it on GitHub
<#798 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIJJGL6N32275FYD6JYV3LZBMRNLAVCNFSM6AAAAABHISNNC2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBSGEZDAMZWGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
No description provided.