From 5768f8ef0147cebf201820506eff34adc597bc99 Mon Sep 17 00:00:00 2001
From: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Date: Thu, 12 Oct 2017 19:08:52 -0300
Subject: [PATCH] Add option to disable OCSP stapling

---
 configuration.md                     | 4 ++++
 pkg/nginx/config/config.go           | 6 ++++++
 rootfs/etc/nginx/template/nginx.tmpl | 2 ++
 3 files changed, 12 insertions(+)

diff --git a/configuration.md b/configuration.md
index bc948d47c..fdc38b19b 100644
--- a/configuration.md
+++ b/configuration.md
@@ -502,6 +502,9 @@ https://www.openssl.org/docs/manmaster/apps/dhparam.html
 https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
 
+**ssl-enable-ocsp:** Enable the stapling of OCSP responses. Ingress must have internet access when this option is enabled
+http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
+
 **ssl-protocols:** Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) to use.
 The default is: `TLSv1.2`.
 
@@ -615,6 +618,7 @@ The following table shows the options, the default value and a description.
 |ssl-buffer-size|4k|
 |ssl-ciphers||
 |ssl-dh-param|value from openssl|
+|ssl-enable-ocsp|"true"
 |ssl-protocols|TLSv1 TLSv1.1 TLSv1.2|
 |ssl-session-cache|"true"|
 |ssl-session-cache-size|10m|
diff --git a/pkg/nginx/config/config.go b/pkg/nginx/config/config.go
index 7fc777e06..793ca1b08 100644
--- a/pkg/nginx/config/config.go
+++ b/pkg/nginx/config/config.go
@@ -289,6 +289,11 @@ type Configuration struct {
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
 	SSLDHParam string `json:"ssl-dh-param,omitempty"`
 
+	// Enables or disables the stapling of OCSP responses to verify Certificates
+	// If enabled, Ingress must have internet access
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
+	SSLEnableOCSP bool `json:"ssl-enable-ocsp"`
+
 	// SSL enabled protocols to use
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
 	SSLProtocols string `json:"ssl-protocols,omitempty"`
@@ -452,6 +457,7 @@ func NewDefault() Configuration {
 		SSLBufferSize:              sslBufferSize,
 		SSLCiphers:                 sslCiphers,
 		SSLECDHCurve:               "auto",
+		SSLEnableOCSP:              true,
 		SSLProtocols:               sslProtocols,
 		SSLSessionCache:            true,
 		SSLSessionCacheSize:        sslSessionCacheSize,
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index caaec9282..b939d7202 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -584,10 +584,12 @@ stream {
         ssl_certificate_key                     {{ $server.SSLCertificate }};
         {{ if not (empty $server.SSLFullChainCertificate)}}
         ssl_trusted_certificate                 {{ $server.SSLFullChainCertificate }};
+        {{ if $cfg.SSLEnableOCSP }}
         ssl_stapling                            on;
         ssl_stapling_verify                     on;
         {{ end }}
         {{ end }}
+        {{ end }}
 
         {{ if (and (not (empty $server.SSLCertificate)) $all.Cfg.HSTS) }}
         more_set_headers                        "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }};{{ if $all.Cfg.HSTSPreload }} preload{{ end }}";