feat(nginx-proxy): Add SSL_STAPLING env var to control OCSP stapling

Add SSL_STAPLING environment variable (default: on) to allow disabling
OCSP stapling for certificates without OCSP responder URLs.

Usage: Set SSL_STAPLING=off on containers to silence the warning:
'ssl_stapling ignored, no OCSP responder URL in the certificate'

This is useful for self-signed certificates or certificates from CAs
that don't provide OCSP responder URLs.

Author: mrrobot47

nginx-proxy/README.md

@@ -139,6 +139,7 @@ deny all;
 | `VIRTUAL_PROTO` | Protocol (`http`, `https`, `uwsgi`, `fastcgi`) | `http` |
 | `HTTPS_METHOD` | `redirect`, `noredirect`, `nohttps` | `redirect` |
 | `SSL_POLICY` | SSL/TLS policy | `Mozilla-Modern` |
+| `SSL_STAPLING` | Enable OCSP stapling (`on` or `off`) | `on` |
 | `HSTS` | HSTS header value | `max-age=31536000` |
 | `CERT_NAME` | Custom certificate name | auto-detected |
 | `NETWORK_ACCESS` | `external` or `internal` | `external` |

nginx-proxy/nginx.tmpl

@@ -358,6 +358,9 @@ server {
 {{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
 {{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
 
+{{/* Get the SSL_STAPLING defined by containers w/ the same vhost, falling back to "on" */}}
+{{ $ssl_stapling := or (first (groupByKeys $containers "Env.SSL_STAPLING")) "on" }}
+
 {{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
 {{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
 
@@ -445,7 +448,7 @@ server {
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 	{{ end }}
 
-	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
+	{{ if (and (eq $ssl_stapling "on") (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert))) }}
 	ssl_stapling on;
 	ssl_stapling_verify on;
 	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};