3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-01 18:33:19 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add an option to request certificate with Must-Staple. (#697)

Browse source
This commit is contained in:
Yuchen Ying 2020-06-17 08:29:34 -07:00 committed by GitHub
parent 8856577f39
commit 8fc1e9cca8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 92 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

18
docs/configuration/readme.md
View file

@ -67,6 +67,24 @@ Autocert requires that ports `80`/`443` be accessible from the internet in order
:::
### Autocert Must-Staple
- Environmental Variable: `AUTOCERT_MUST_STAPLE`
- Config File Key: `autocert_must_staple`
- Type: `bool`
- Optional
If true, cause autocert to request a certificate with `status_request`
extension (commonly called `Must-Staple`). This allows the TLS client
(the browser) to fail immediately if the TLS handshake doesn't include
OCSP stapling information. Only used when [Autocert](./#autocert) is
true.
NOTE: this only takes effect the next time Pomerium renews your
certificates.
See also https://tools.ietf.org/html/rfc7633 for more context.
### Autocert Directory
- Environmental Variable: either `AUTOCERT_DIR`