From 74502e1c52aaa10c5bdda6bd3924eb61cd1595c9 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Sat, 28 Jul 2018 23:01:20 +0000
Subject: [PATCH] Enable OCSP stapling on the proxies

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/httpd/proxy/templates/httpd.conf.j2  | 3 +++
 roles/httpd/website/templates/website.conf | 1 +
 2 files changed, 4 insertions(+)

diff --git a/roles/httpd/proxy/templates/httpd.conf.j2 b/roles/httpd/proxy/templates/httpd.conf.j2
index 77fb1987a1..56cbee3da0 100644
--- a/roles/httpd/proxy/templates/httpd.conf.j2
+++ b/roles/httpd/proxy/templates/httpd.conf.j2
@@ -765,3 +765,6 @@ ProxyTimeout 1200
 # Try and enable these to improve performance
 EnableMMAP on
 EnableSendfile on
+
+# Configure a location for OCSP stapling
+SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index a359d46132..58a4c7481a 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -57,6 +57,7 @@
 {% endif %}
 
   SSLEngine on
+  SSLUseStapling on
 {% if certbot %}
   SSLCertificateFile /etc/pki/tls/certs/{{ site_name }}.cert
   SSLCertificateKeyFile /etc/pki/tls/private/{{ site_name }}.key