From be5a9d8b8ee2b8802b0b0d002817401d030fd164 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Thu, 16 Apr 2020 22:55:35 +0200
Subject: [PATCH] moved ssl_stapling to main config

---
 files/config/conf.d/ssl.conf | 6 +++---
 templates/vhost.conf.j2      | 2 --
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/files/config/conf.d/ssl.conf b/files/config/conf.d/ssl.conf
index 59e4749..f0ffbfd 100644
--- a/files/config/conf.d/ssl.conf
+++ b/files/config/conf.d/ssl.conf
@@ -8,9 +8,9 @@ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD
 ssl_prefer_server_ciphers on;
 
 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-add_header Strict-Transport-Security "max-age=15768000";
+add_header Strict-Transport-Security "max-age=15768000" always;
 
 # OCSP Stapling ---
 # fetch OCSP records from URL in ssl_certificate and cache them
-#ssl_stapling on;
-#ssl_stapling_verify on;
+ssl_stapling_verify on;
+ssl_stapling on;
diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2
index bf2ae04..8f8b5e3 100644
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@@ -64,7 +64,5 @@ server {
 	{% if vhost.letsencrypt|d(False) %}
 		ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
 		ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
-		ssl_stapling_verify on;
-		ssl_stapling on;
 	{% endif %}
 }