Add option to disable OCSP stapling

configuration.md

@@ -502,6 +502,9 @@ https://www.openssl.org/docs/manmaster/apps/dhparam.html
 https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
 
+**ssl-enable-ocsp:** Enable the stapling of OCSP responses. Ingress must have internet access when this option is enabled
+http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
+
 **ssl-protocols:** Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) to use.
 The default is: `TLSv1.2`.
 
@@ -615,6 +618,7 @@ The following table shows the options, the default value and a description.
 |ssl-buffer-size|4k|
 |ssl-ciphers||
 |ssl-dh-param|value from openssl|
+|ssl-enable-ocsp|"true"
 |ssl-protocols|TLSv1 TLSv1.1 TLSv1.2|
 |ssl-session-cache|"true"|
 |ssl-session-cache-size|10m|

pkg/nginx/config/config.go

@@ -289,6 +289,11 @@ type Configuration struct {
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
 	SSLDHParam string `json:"ssl-dh-param,omitempty"`
 
+	// Enables or disables the stapling of OCSP responses to verify Certificates
+	// If enabled, Ingress must have internet access
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
+	SSLEnableOCSP bool `json:"ssl-enable-ocsp"`
+
 	// SSL enabled protocols to use
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
 	SSLProtocols string `json:"ssl-protocols,omitempty"`
@@ -452,6 +457,7 @@ func NewDefault() Configuration {
 		SSLBufferSize:              sslBufferSize,
 		SSLCiphers:                 sslCiphers,
 		SSLECDHCurve:               "auto",
+		SSLEnableOCSP:              true,
 		SSLProtocols:               sslProtocols,
 		SSLSessionCache:            true,
 		SSLSessionCacheSize:        sslSessionCacheSize,

rootfs/etc/nginx/template/nginx.tmpl

@@ -584,10 +584,12 @@ stream {
         ssl_certificate_key                     {{ $server.SSLCertificate }};
         {{ if not (empty $server.SSLFullChainCertificate)}}
         ssl_trusted_certificate                 {{ $server.SSLFullChainCertificate }};
+        {{ if $cfg.SSLEnableOCSP }}
         ssl_stapling                            on;
         ssl_stapling_verify                     on;
         {{ end }}
         {{ end }}
+        {{ end }}
 
         {{ if (and (not (empty $server.SSLCertificate)) $all.Cfg.HSTS) }}
         more_set_headers                        "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }};{{ if $all.Cfg.HSTSPreload }} preload{{ end }}";