Merge pull request #299 from mrrobot47/fix/nginx-proxy-http2-ssl-stapling-warnings

feat(nginx-proxy): Add SSL_STAPLING env var to control OCSP stapling

Author: mrrobot47

nginx-proxy/README.md

@@ -139,6 +139,7 @@ deny all;
 | `VIRTUAL_PROTO` | Protocol (`http`, `https`, `uwsgi`, `fastcgi`) | `http` |
 | `HTTPS_METHOD` | `redirect`, `noredirect`, `nohttps` | `redirect` |
 | `SSL_POLICY` | SSL/TLS policy | `Mozilla-Modern` |
+| `SSL_STAPLING` | Enable OCSP stapling (`on` or `off`) | `on` |
 | `HSTS` | HSTS header value | `max-age=31536000` |
 | `CERT_NAME` | Custom certificate name | auto-detected |
 | `NETWORK_ACCESS` | `external` or `internal` | `external` |

nginx-proxy/nginx.tmpl

@@ -358,6 +358,9 @@ server {
 {{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
 {{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
 
+{{/* Get the SSL_STAPLING defined by containers w/ the same vhost, falling back to "on" */}}
+{{ $ssl_stapling := or (first (groupByKeys $containers "Env.SSL_STAPLING")) "on" }}
+
 {{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
 {{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
 
@@ -445,7 +448,7 @@ server {
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 	{{ end }}
 
-	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
+	{{ if (and (eq $ssl_stapling "on") (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert))) }}
 	ssl_stapling on;
 	ssl_stapling_verify on;
 	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};