From: Ian Kelling Date: Thu, 5 Feb 2026 23:12:04 +0000 (-0500) Subject: remove deprecated ocsp, add proxy headers ive seen online X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=HEAD;p=basic-https-conf remove deprecated ocsp, add proxy headers ive seen online --- diff --git a/web-conf b/web-conf index 5565ed2..1840195 100755 --- a/web-conf +++ b/web-conf @@ -166,7 +166,7 @@ if [[ ! $oob_cert_dir ]] && $ssl; then # cerbot needs an existing virtualhost. $0 -p 80 $t $h # when generating an example config, add all relevant security options: - # --hsts --staple-ocsp --uir --must-staple + # --hsts --uir # --no-self-upgrade means don't try to upgrade certbot certbot certonly -n --email $email --no-self-upgrade \ --agree-tos --${t%2} -d $h @@ -404,11 +404,6 @@ ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; -# OCSP Stapling --- -# fetch OCSP records from URL in ssl_certificate and cache them -ssl_stapling on; -ssl_stapling_verify on; - ## verify chain of trust of OCSP response using Root CA and Intermediate certs # ian: commented out, unnecessary for le certs or my nginx ver. #ssl_trusted_certificate $cert_dir/fullchain.pem;; @@ -463,8 +458,10 @@ EOF proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + # i'm not sure about these two. proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-Port $port; + proxy_set_header X-Forwarded-Proto \$scheme; + proxy_set_header X-Forwarded-Port \$port; proxy_pass http://$proxy; } EOF