diff --git a/backend/doc/api.swagger.json b/backend/doc/api.swagger.json
index 3fa19fc4..ae2caf5a 100644
--- a/backend/doc/api.swagger.json
+++ b/backend/doc/api.swagger.json
@@ -96,6 +96,7 @@
"locations": [],
"hsts_enabled": 0,
"hsts_subdomains": 0,
+ "ocsp_stapling": 0,
"owner": {
"id": 1,
"created_on": "2023-03-30T01:11:50.000Z",
@@ -138,6 +139,7 @@
"locations": [],
"hsts_enabled": 0,
"hsts_subdomains": 0,
+ "ocsp_stapling": 0,
"owner": {
"id": 1,
"created_on": "2023-03-30T01:11:50.000Z",
@@ -216,6 +218,7 @@
"locations": [],
"hsts_enabled": 0,
"hsts_subdomains": 0,
+ "ocsp_stapling": 0,
"certificate": null,
"owner": {
"id": 1,
@@ -1125,6 +1128,7 @@
"enabled",
"locations",
"hsts_enabled",
+ "ocsp_stapling",
"hsts_subdomains",
"certificate",
"use_default_location",
@@ -1211,6 +1215,9 @@
"hsts_subdomains": {
"type": "integer"
},
+ "ocsp_stapling": {
+ "type": "integer"
+ },
"certificate": {
"type": "object",
"nullable": true
diff --git a/backend/internal/host.js b/backend/internal/host.js
index 58e1d09a..92245e20 100644
--- a/backend/internal/host.js
+++ b/backend/internal/host.js
@@ -22,6 +22,7 @@ const internalHost = {
if (!combined_data.certificate_id) {
combined_data.ssl_forced = false;
combined_data.http2_support = false;
+ combined_data.ocsp_stapling = false;
}
if (!combined_data.ssl_forced) {
diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js
index 77933e73..172c2460 100644
--- a/backend/internal/nginx.js
+++ b/backend/internal/nginx.js
@@ -155,7 +155,7 @@ const internalNginx = {
let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
- {hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
+ {hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {ocsp_stapling: host.ocsp_stapling}, {access_list: host.access_list},
{certificate: host.certificate}, host.locations[i]);
if (locationCopy.forward_host.indexOf('/') > -1) {
diff --git a/backend/migrations/20230823010130_ocsp.js b/backend/migrations/20230823010130_ocsp.js
new file mode 100644
index 00000000..43efb93d
--- /dev/null
+++ b/backend/migrations/20230823010130_ocsp.js
@@ -0,0 +1,49 @@
+const migrate_name = 'ocsp';
+const logger = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+ logger.info('[' + migrate_name + '] Migrating Up...');
+
+ return knex.schema.table('proxy_host', function (proxy_host) {
+ proxy_host.integer('ocsp_stapling').notNull().unsigned().defaultTo(0);
+ })
+ .then(() => {
+ logger.info('[' + migrate_name + '] proxy_host Table altered');
+
+ return knex.schema.table('redirection_host', function (redirection_host) {
+
+ redirection_host.integer('ocsp_stapling').notNull().unsigned().defaultTo(0);
+ });
+ })
+ .then(() => {
+ logger.info('[' + migrate_name + '] redirection_host Table altered');
+
+ return knex.schema.table('dead_host', function (dead_host) {
+ dead_host.integer('ocsp_stapling').notNull().unsigned().defaultTo(0);
+ });
+ })
+ .then(() => {
+ logger.info('[' + migrate_name + '] dead_host Table altered');
+ });
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex, Promise) {
+ logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+ return Promise.resolve(true);
+};
diff --git a/backend/schema/definitions.json b/backend/schema/definitions.json
index 640093a0..4adbf18d 100644
--- a/backend/schema/definitions.json
+++ b/backend/schema/definitions.json
@@ -217,6 +217,11 @@
"example": false,
"type": "boolean"
},
+ "ocsp_stapling": {
+ "description": "Is OCSP Stapling Enabled",
+ "example": false,
+ "type": "boolean"
+ },
"ssl_provider": {
"type": "string",
"pattern": "^(letsencrypt|other)$"
diff --git a/backend/schema/endpoints/dead-hosts.json b/backend/schema/endpoints/dead-hosts.json
index 0c73c3be..ee81f1cd 100644
--- a/backend/schema/endpoints/dead-hosts.json
+++ b/backend/schema/endpoints/dead-hosts.json
@@ -30,6 +30,9 @@
"hsts_subdomains": {
"$ref": "../definitions.json#/definitions/hsts_subdomains"
},
+ "ocsp_stapling": {
+ "$ref": "../definitions.json#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "../definitions.json#/definitions/http2_support"
},
@@ -68,6 +71,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_subdomains"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
@@ -131,6 +137,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
@@ -177,6 +186,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
diff --git a/backend/schema/endpoints/proxy-hosts.json b/backend/schema/endpoints/proxy-hosts.json
index 9a3fff2f..ea0f89fd 100644
--- a/backend/schema/endpoints/proxy-hosts.json
+++ b/backend/schema/endpoints/proxy-hosts.json
@@ -44,6 +44,9 @@
"hsts_subdomains": {
"$ref": "../definitions.json#/definitions/hsts_subdomains"
},
+ "ocsp_stapling": {
+ "$ref": "../definitions.json#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "../definitions.json#/definitions/http2_support"
},
@@ -143,6 +146,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_subdomains"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
@@ -233,6 +239,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
@@ -306,6 +315,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
diff --git a/backend/schema/endpoints/redirection-hosts.json b/backend/schema/endpoints/redirection-hosts.json
index 14a46998..e5b72318 100644
--- a/backend/schema/endpoints/redirection-hosts.json
+++ b/backend/schema/endpoints/redirection-hosts.json
@@ -44,6 +44,9 @@
"hsts_subdomains": {
"$ref": "../definitions.json#/definitions/hsts_subdomains"
},
+ "ocsp_stapling": {
+ "$ref": "../definitions.json#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "../definitions.json#/definitions/http2_support"
},
@@ -97,6 +100,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_subdomains"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
@@ -178,6 +184,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
@@ -239,6 +248,9 @@
"hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled"
},
+ "ocsp_stapling": {
+ "$ref": "#/definitions/ocsp_stapling"
+ },
"http2_support": {
"$ref": "#/definitions/http2_support"
},
diff --git a/backend/templates/_ocsp.conf b/backend/templates/_ocsp.conf
new file mode 100644
index 00000000..a4922edb
--- /dev/null
+++ b/backend/templates/_ocsp.conf
@@ -0,0 +1,7 @@
+{% if certificate and certificate_id > 0 -%}
+{% if ocsp_stapling == 1 or ocsp_stapling == true %}
+ # OCSP Stapling
+ ssl_stapling on;
+ ssl_stapling_verify on;
+{% endif %}
+{% endif %}
diff --git a/backend/templates/dead_host.conf b/backend/templates/dead_host.conf
index 7a06469a..21ce0f4c 100644
--- a/backend/templates/dead_host.conf
+++ b/backend/templates/dead_host.conf
@@ -8,6 +8,7 @@ server {
{% include "_listen.conf" %}
{% include "_certificates.conf" %}
{% include "_hsts.conf" %}
+{% include "_ocsp.conf" %}
{% include "_forced_ssl.conf" %}
access_log /data/logs/dead-host-{{ id }}_access.log standard;
diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf
index d23ca46f..0490e8f7 100644
--- a/backend/templates/proxy_host.conf
+++ b/backend/templates/proxy_host.conf
@@ -14,6 +14,7 @@ server {
{% include "_assets.conf" %}
{% include "_exploits.conf" %}
{% include "_hsts.conf" %}
+{% include "_ocsp.conf" %}
{% include "_forced_ssl.conf" %}
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
diff --git a/backend/templates/redirection_host.conf b/backend/templates/redirection_host.conf
index 7dd36079..0f73b8b2 100644
--- a/backend/templates/redirection_host.conf
+++ b/backend/templates/redirection_host.conf
@@ -10,6 +10,7 @@ server {
{% include "_assets.conf" %}
{% include "_exploits.conf" %}
{% include "_hsts.conf" %}
+{% include "_ocsp.conf" %}
{% include "_forced_ssl.conf" %}
access_log /data/logs/redirection-host-{{ id }}_access.log standard;
diff --git a/frontend/js/app/nginx/dead/form.ejs b/frontend/js/app/nginx/dead/form.ejs
index de3b87d8..6e339ff2 100644
--- a/frontend/js/app/nginx/dead/form.ejs
+++ b/frontend/js/app/nginx/dead/form.ejs
@@ -73,6 +73,15 @@
+
diff --git a/frontend/js/app/nginx/dead/form.js b/frontend/js/app/nginx/dead/form.js
index a091717d..ed21fe12 100644
--- a/frontend/js/app/nginx/dead/form.js
+++ b/frontend/js/app/nginx/dead/form.js
@@ -25,6 +25,7 @@ module.exports = Mn.View.extend({
ssl_forced: 'input[name="ssl_forced"]',
hsts_enabled: 'input[name="hsts_enabled"]',
hsts_subdomains: 'input[name="hsts_subdomains"]',
+ ocsp_stapling: 'input[name="ocsp_stapling"]',
http2_support: 'input[name="http2_support"]',
dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
dns_challenge_content: '.dns-challenge',
@@ -48,7 +49,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0;
- let inputs = this.ui.ssl_forced.add(this.ui.http2_support);
+ let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling);
inputs
.prop('disabled', !enabled)
.parents('.form-group')
@@ -130,6 +131,7 @@ module.exports = Mn.View.extend({
// Manipulate
data.hsts_enabled = !!data.hsts_enabled;
data.hsts_subdomains = !!data.hsts_subdomains;
+ data.ocsp_stapling = !!data.ocsp_stapling;
data.http2_support = !!data.http2_support;
data.ssl_forced = !!data.ssl_forced;
diff --git a/frontend/js/app/nginx/proxy/form.ejs b/frontend/js/app/nginx/proxy/form.ejs
index 8e7a2a2d..8ff59d0d 100644
--- a/frontend/js/app/nginx/proxy/form.ejs
+++ b/frontend/js/app/nginx/proxy/form.ejs
@@ -141,7 +141,15 @@
-
+
diff --git a/frontend/js/app/nginx/proxy/form.js b/frontend/js/app/nginx/proxy/form.js
index 4437a6dd..40954015 100644
--- a/frontend/js/app/nginx/proxy/form.js
+++ b/frontend/js/app/nginx/proxy/form.js
@@ -35,6 +35,7 @@ module.exports = Mn.View.extend({
ssl_forced: 'input[name="ssl_forced"]',
hsts_enabled: 'input[name="hsts_enabled"]',
hsts_subdomains: 'input[name="hsts_subdomains"]',
+ ocsp_stapling: 'input[name="ocsp_stapling"]',
http2_support: 'input[name="http2_support"]',
dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
dns_challenge_content: '.dns-challenge',
@@ -62,7 +63,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0;
- let inputs = this.ui.ssl_forced.add(this.ui.http2_support);
+ let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling);
inputs
.prop('disabled', !enabled)
.parents('.form-group')
@@ -166,6 +167,7 @@ module.exports = Mn.View.extend({
data.http2_support = !!data.http2_support;
data.hsts_enabled = !!data.hsts_enabled;
data.hsts_subdomains = !!data.hsts_subdomains;
+ data.ocsp_stapling = !!data.ocsp_stapling;
data.ssl_forced = !!data.ssl_forced;
if (typeof data.meta === 'undefined') data.meta = {};
diff --git a/frontend/js/app/nginx/redirection/form.ejs b/frontend/js/app/nginx/redirection/form.ejs
index f32178bc..23a0d8e2 100644
--- a/frontend/js/app/nginx/redirection/form.ejs
+++ b/frontend/js/app/nginx/redirection/form.ejs
@@ -120,6 +120,15 @@
+
diff --git a/frontend/js/app/nginx/redirection/form.js b/frontend/js/app/nginx/redirection/form.js
index 5d061ff7..d3cf83b7 100644
--- a/frontend/js/app/nginx/redirection/form.js
+++ b/frontend/js/app/nginx/redirection/form.js
@@ -26,6 +26,7 @@ module.exports = Mn.View.extend({
ssl_forced: 'input[name="ssl_forced"]',
hsts_enabled: 'input[name="hsts_enabled"]',
hsts_subdomains: 'input[name="hsts_subdomains"]',
+ ocsp_stapling: 'input[name="ocsp_stapling"]',
http2_support: 'input[name="http2_support"]',
dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
dns_challenge_content: '.dns-challenge',
@@ -48,7 +49,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0;
- let inputs = this.ui.ssl_forced.add(this.ui.http2_support);
+ let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling);
inputs
.prop('disabled', !enabled)
.parents('.form-group')
@@ -133,6 +134,7 @@ module.exports = Mn.View.extend({
data.http2_support = !!data.http2_support;
data.hsts_enabled = !!data.hsts_enabled;
data.hsts_subdomains = !!data.hsts_subdomains;
+ data.ocsp_stapling = !!data.ocsp_stapling;
data.ssl_forced = !!data.ssl_forced;
if (typeof data.meta === 'undefined') data.meta = {};
diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json
index 0bbde454..18343879 100644
--- a/frontend/js/i18n/messages.json
+++ b/frontend/js/i18n/messages.json
@@ -88,6 +88,7 @@
"advanced-config-header-info": "Please note, that any add_header or set_header directives added here will not be used by nginx. You will have to add a custom location '/' and add the header in the custom config there.",
"hsts-enabled": "HSTS Enabled",
"hsts-subdomains": "HSTS Subdomains",
+ "ocsp-stapling": "OCSP Stapling",
"locations": "Custom locations"
},
"locations": {
diff --git a/frontend/js/models/dead-host.js b/frontend/js/models/dead-host.js
index 98ceef29..aa5d0f32 100644
--- a/frontend/js/models/dead-host.js
+++ b/frontend/js/models/dead-host.js
@@ -14,6 +14,7 @@ const model = Backbone.Model.extend({
http2_support: false,
hsts_enabled: false,
hsts_subdomains: false,
+ ocsp_stapling: false,
enabled: true,
meta: {},
advanced_config: '',
diff --git a/frontend/js/models/proxy-host.js b/frontend/js/models/proxy-host.js
index b82d09fe..e6cdb73a 100644
--- a/frontend/js/models/proxy-host.js
+++ b/frontend/js/models/proxy-host.js
@@ -17,6 +17,7 @@ const model = Backbone.Model.extend({
ssl_forced: false,
hsts_enabled: false,
hsts_subdomains: false,
+ ocsp_stapling: false,
caching_enabled: false,
allow_websocket_upgrade: false,
block_exploits: false,
diff --git a/frontend/js/models/redirection-host.js b/frontend/js/models/redirection-host.js
index 1d0b0de2..0f76f16a 100644
--- a/frontend/js/models/redirection-host.js
+++ b/frontend/js/models/redirection-host.js
@@ -17,6 +17,7 @@ const model = Backbone.Model.extend({
ssl_forced: false,
hsts_enabled: false,
hsts_subdomains: false,
+ ocsp_stapling: false,
block_exploits: false,
http2_support: false,
advanced_config: '',
diff --git a/test/cypress/integration/api/Hosts.spec.js b/test/cypress/integration/api/Hosts.spec.js
index 4652c8e0..cb816759 100644
--- a/test/cypress/integration/api/Hosts.spec.js
+++ b/test/cypress/integration/api/Hosts.spec.js
@@ -32,6 +32,7 @@ describe('Hosts endpoints', () => {
http2_support: false,
hsts_enabled: false,
hsts_subdomains: false,
+ ocsp_stapling: false,
ssl_forced: false
}
}).then((data) => {