diff --git a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md index 8bbb07c8..24cfd8d3 100644 --- a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md +++ b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md @@ -1,6 +1,9 @@ # JFrog Platform Ansible Collection Changelog All changes to this collection will be documented in this file. +## [10.19.4] - Aug 20, 2024 +* artifactory_nginx_ssl - OCSP stapling support [GH-358](https://github.com/jfrog/JFrog-Cloud-Installers/pull/358) + ## [10.19.3] - Aug 16, 2024 * Product Updates/fixes @@ -38,6 +41,7 @@ All changes to this collection will be documented in this file. ## [10.17.2] - March 7, 2024 * Fix - ansible.cfg issue + ## [10.17.1] - Feb 29, 2024 * Artifactory - Upgrade fails during the Check artifactory version [GH-369](https://github.com/jfrog/JFrog-Cloud-Installers/pull/369) diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md index d8bd5a3b..65f929ec 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md @@ -8,6 +8,7 @@ The artifactory_nginx_ssl role installs and configures nginx for SSL. * _ssl_certificate_path_: This is the full directory path for the SSL certificate, excluding _ssl_certificate_. * _ssl_certificate_key_: This is the filename of the SSL private key. * _ssl_certificate_key_path_: This is the full directory path for the SSL private key, excluding _ssl_certificate_key_. +* _ssl_certificate_fullchain_: Boolean, enables OCSP stapling if _ssl_certificate_ has the full chain. * _nginx_worker_processes_: The worker_processes configuration for nginx. Defaults to 1. * _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker - subdomains. \ No newline at end of file + subdomains. diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml index 181c6714..232ace1e 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml @@ -18,3 +18,5 @@ ssl_certificate_path: /etc/pki/tls/certs ssl_certificate_key_path: /etc/pki/tls/private ssl_certificate: cert.pem ssl_certificate_key: cert.key +# if ssl_certificate has the full certificate chain then OCSP stapling can be enabled +ssl_certificate_fullchain: false diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2 index 4d3976ee..68ea4e0a 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2 +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2 @@ -13,8 +13,13 @@ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_certificate {{ ssl_certificate_path }}/{{ ssl_certificate }}; ssl_certificate_key {{ ssl_certificate_key_path }}/{{ ssl_certificate_key }}; + {% if ssl_certificate_fullchain %} + ssl_stapling on; + ssl_stapling_verify on; + {% endif %} ssl_session_cache shared:SSL:1m; ssl_prefer_server_ciphers on; + ## server configuration server { listen 443 ssl http2; @@ -47,4 +52,4 @@ proxy_pass http://artifactory-direct; } } -} \ No newline at end of file +}