From f26ac060cbc835bfcb5dbafb3bb46d76d0aa9d2c Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Tue, 25 Sep 2018 21:25:00 +0200
Subject: [PATCH] Only do OCSP stapling on the proxies

The actual cache is only set in the proxy HTTP config.
While we could set the cache path in the other servers' configs as well,
that would be a significantly larger change.

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 roles/httpd/website/templates/website.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index 8ff23bbd0c..afedf27eb2 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -57,7 +57,9 @@
 {% endif %}
 
   SSLEngine on
-  SSLUseStapling on
+  {% if ansible_hostname.startswith('proxy') %}
+    SSLUseStapling on
+  {% endif %}
 {% if certbot %}
   SSLCertificateFile /etc/pki/tls/certs/{{ site_name }}.cert
   SSLCertificateKeyFile /etc/pki/tls/private/{{ site_name }}.key