Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:config:ocsp-stapling [2017/11/29 15:25] Jackson Zhang [Method 3:] |
litespeed_wiki:config:ocsp-stapling [2020/07/14 18:22] Jackson Zhang [For cPanel] |
||
|---|---|---|---|
| Line 23: | Line 23: | ||
| ==== For cPanel ==== | ==== For cPanel ==== | ||
| + | The latest cpanel/WHM server has enable OCSP automatically at /etc/apache2/conf/httpd.conf hence you don't need to do any extra work on it. | ||
| + | |||
| + | <IfModule socache_shmcb_module> | ||
| + | SSLUseStapling On | ||
| + | SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000) | ||
| + | # Prevent browsers from failing if an OCSP server is temporarily broken. | ||
| + | SSLStaplingReturnResponderErrors off | ||
| + | SSLStaplingErrorCacheTimeout 60 | ||
| + | SSLStaplingFakeTryLater off | ||
| + | SSLStaplingResponderTimeout 3 | ||
| + | SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000) | ||
| + | </IfModule> | ||
| + | |||
| + | For an earlier version of cPanel/WHM, you can manually add **SSLStaplingCache ** and **SSLUseStapling on** directives to apache configuration. | ||
| + | |||
| Add the following lines to: | Add the following lines to: | ||
| - For EA3: ''/usr/local/apache/conf/includes/pre_main_global.conf'' | - For EA3: ''/usr/local/apache/conf/includes/pre_main_global.conf'' | ||
| Line 48: | Line 63: | ||
| Apply these changes to all Virtual Hosts by running the following command: | Apply these changes to all Virtual Hosts by running the following command: | ||
| /scripts/ensure_vhost_includes --all-users | /scripts/ensure_vhost_includes --all-users | ||
| + | |||
| + | ==== For Plesk ==== | ||
| + | Plesk server has not enabled OCSP by default yet and still [[https://support.plesk.com/hc/en-us/articles/360033765213-How-to-enable-OCSP-Stapling-and-HSTS-for-Plesk-panel-|feature request]] stage at the time of this writing. | ||
| + | |||
| + | As a workaround, add the following to /etc/sw-cp-server/conf.d/ssl.conf: | ||
| | | ||
| + | SSLStaplingCache shmcb:/var/run/ocsp(128000) | ||
| + | SSLUseStapling on | ||
| + | |||
| ===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== | ===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== | ||
| Line 83: | Line 106: | ||
| ===== Did it work? ===== | ===== Did it work? ===== | ||
| ====Method 1:==== | ====Method 1:==== | ||
| - | Check in ''$SERVER_ROOT/temp/ocspcache/''. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. | + | Check in ''$SERVER_ROOT/tmp/ocspcache/''. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. |
| ====Method 2:==== | ====Method 2:==== | ||
| Line 96: | Line 119: | ||
| - key in your domain then check **OCSP stapling** status | - key in your domain then check **OCSP stapling** status | ||
| - | ===== Cached OSCP response ===== | + | ===== Cached OCSP response ===== |
| - | OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can easily remove the cache files under ocsp cache folder. | + | OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. |