Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
litespeed_wiki:config:ocsp-stapling [2017/09/12 12:53] Lisa Clarke |
litespeed_wiki:config:ocsp-stapling [2020/07/14 18:22] Jackson Zhang [For cPanel] |
||
---|---|---|---|
Line 23: | Line 23: | ||
==== For cPanel ==== | ==== For cPanel ==== | ||
+ | The latest cpanel/WHM server has enable OCSP automatically at /etc/apache2/conf/httpd.conf hence you don't need to do any extra work on it. | ||
+ | |||
+ | <IfModule socache_shmcb_module> | ||
+ | SSLUseStapling On | ||
+ | SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000) | ||
+ | # Prevent browsers from failing if an OCSP server is temporarily broken. | ||
+ | SSLStaplingReturnResponderErrors off | ||
+ | SSLStaplingErrorCacheTimeout 60 | ||
+ | SSLStaplingFakeTryLater off | ||
+ | SSLStaplingResponderTimeout 3 | ||
+ | SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000) | ||
+ | </IfModule> | ||
+ | |||
+ | For an earlier version of cPanel/WHM, you can manually add **SSLStaplingCache ** and **SSLUseStapling on** directives to apache configuration. | ||
+ | |||
Add the following lines to: | Add the following lines to: | ||
- For EA3: ''/usr/local/apache/conf/includes/pre_main_global.conf'' | - For EA3: ''/usr/local/apache/conf/includes/pre_main_global.conf'' | ||
Line 48: | Line 63: | ||
Apply these changes to all Virtual Hosts by running the following command: | Apply these changes to all Virtual Hosts by running the following command: | ||
/scripts/ensure_vhost_includes --all-users | /scripts/ensure_vhost_includes --all-users | ||
+ | |||
+ | ==== For Plesk ==== | ||
+ | Plesk server has not enabled OCSP by default yet and still [[https://support.plesk.com/hc/en-us/articles/360033765213-How-to-enable-OCSP-Stapling-and-HSTS-for-Plesk-panel-|feature request]] stage at the time of this writing. | ||
+ | |||
+ | As a workaround, add the following to /etc/sw-cp-server/conf.d/ssl.conf: | ||
| | ||
+ | SSLStaplingCache shmcb:/var/run/ocsp(128000) | ||
+ | SSLUseStapling on | ||
+ | |||
===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== | ===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== | ||
Line 83: | Line 106: | ||
===== Did it work? ===== | ===== Did it work? ===== | ||
====Method 1:==== | ====Method 1:==== | ||
- | Check in ''$SERVER_ROOT/temp/ocspcache/''. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. | + | Check in ''$SERVER_ROOT/tmp/ocspcache/''. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. |
====Method 2:==== | ====Method 2:==== | ||
Line 95: | Line 118: | ||
- Open browser with URL ''https://cryptoreport.rapidssl.com'' | - Open browser with URL ''https://cryptoreport.rapidssl.com'' | ||
- key in your domain then check **OCSP stapling** status | - key in your domain then check **OCSP stapling** status | ||
+ | |||
+ | ===== Cached OCSP response ===== | ||
+ | |||
+ | OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. |