jfrog · bbaassssiiee · Dec 21, 2023 · Dec 21, 2023 · Dec 21, 2023 · Jul 18, 2024
diff --git a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md
@@ -1,6 +1,9 @@
 # JFrog Platform Ansible Collection Changelog
 All changes to this collection will be documented in this file.
 
+## [10.19.4] - Aug 20, 2024
+* artifactory_nginx_ssl - OCSP stapling support [GH-358](https://github.com/jfrog/JFrog-Cloud-Installers/pull/358)
+
 ## [10.19.3] - Aug 16, 2024
 * Product Updates/fixes
 
@@ -38,6 +41,7 @@ All changes to this collection will be documented in this file.
 ## [10.17.2] - March 7, 2024
 * Fix - ansible.cfg issue
 
+
 ## [10.17.1] - Feb 29, 2024
 * Artifactory - Upgrade fails during the Check artifactory version [GH-369](https://github.com/jfrog/JFrog-Cloud-Installers/pull/369)
 

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md
@@ -8,6 +8,7 @@ The artifactory_nginx_ssl role installs and configures nginx for SSL.
 * _ssl_certificate_path_: This is the full directory path for the SSL certificate, excluding _ssl_certificate_.
 * _ssl_certificate_key_: This is the filename of the SSL private key.
 * _ssl_certificate_key_path_: This is the full directory path for the SSL private key, excluding _ssl_certificate_key_.
+* _ssl_certificate_fullchain_: Boolean, enables OCSP stapling if _ssl_certificate_ has the full chain.
 * _nginx_worker_processes_: The worker_processes configuration for nginx. Defaults to 1.
 * _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker
-  subdomains.
+  subdomains.
diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml
@@ -18,3 +18,5 @@ ssl_certificate_path: /etc/pki/tls/certs
 ssl_certificate_key_path: /etc/pki/tls/private
 ssl_certificate: cert.pem
 ssl_certificate_key: cert.key
+# if ssl_certificate has the full certificate chain then OCSP stapling can be enabled
+ssl_certificate_fullchain: false
diff --git a/...ible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2 b/...ible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2
@@ -13,8 +13,13 @@
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
   ssl_certificate      {{ ssl_certificate_path }}/{{ ssl_certificate }};
   ssl_certificate_key  {{ ssl_certificate_key_path }}/{{ ssl_certificate_key }};
+  {% if ssl_certificate_fullchain %}
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  {% endif %}
   ssl_session_cache shared:SSL:1m;
   ssl_prefer_server_ciphers   on;
+
   ## server configuration
   server {
   listen 443 ssl http2;
@@ -47,4 +52,4 @@
     proxy_pass    http://artifactory-direct;
     }
   }
-}
+}