remove deprecated ocsp, add proxy headers ive seen online

diff --git a/web-conf b/web-conf
index 5565ed263d95448068f65b38926111e470183fd3..1840195c96d5b2870f4876144b584de1d579c67a 100755 (executable)
--- a/web-conf
+++ b/web-conf
@@ -166,7 +166,7 @@ if [[ ! $oob_cert_dir ]] && $ssl; then
     # cerbot needs an existing virtualhost.
     $0 -p 80 $t $h
     # when generating an example config, add all relevant security options:
-    # --hsts --staple-ocsp --uir --must-staple
+    # --hsts --uir
     # --no-self-upgrade means don't try to upgrade certbot
     certbot certonly -n --email $email --no-self-upgrade \
             --agree-tos --${t%2} -d $h
@@ -404,11 +404,6 @@ ssl_prefer_server_ciphers on;
 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 add_header Strict-Transport-Security max-age=15768000;
 
-# OCSP Stapling ---
-# fetch OCSP records from URL in ssl_certificate and cache them
-ssl_stapling on;
-ssl_stapling_verify on;
-
 ## verify chain of trust of OCSP response using Root CA and Intermediate certs
 # ian: commented out, unnecessary for le certs or my nginx ver.
 #ssl_trusted_certificate $cert_dir/fullchain.pem;;
@@ -463,8 +458,10 @@ EOF
     proxy_set_header Host \$host;
     proxy_set_header X-Real-IP \$remote_addr;
     proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    # i'm not sure about these two.
     proxy_set_header X-Forwarded-Ssl on;
-    proxy_set_header X-Forwarded-Port $port;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_set_header X-Forwarded-Port \$port;
     proxy_pass http://$proxy;
   }
 EOF