enable ssl_early_data, default enable http2, option to enable brotli, fix shellcheck

Signed-off-by: Zoey <zoey@z0ey.de>
2025-08-03 16:03:38 +00:00 · 2023-01-20 08:09:52 +01:00
parent e0be3a5ea3
commit 45895ac53e
33 changed files with 367 additions and 261 deletions
--- a/backend/templates/_brotli.conf
+++ b/backend/templates/_brotli.conf
@@ -0,0 +1,4 @@
+{% if http2_support -%}
+    # Enable Brotli
+    include conf.d/include/brotli.conf;
+{% endif %}
--- a/backend/templates/_certificates.conf
+++ b/backend/templates/_certificates.conf
@@ -5,15 +5,11 @@
  ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
  ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem;
  ssl_trusted_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/chain.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
 {% else %}
  # Custom SSL
  include conf.d/include/tls-ciphers.conf;
  ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
  ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
  ssl_trusted_certificate /data/tls/custom/npm-{{ certificate_id }}/chain.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
 {% endif %}
 {% endif %}
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@@ -2,8 +2,8 @@
  listen [::]:80;

 {% if certificate %}
-  listen 443 ssl{% if http2_support %} http2{% endif %};
-  listen [::]:443 ssl{% if http2_support %} http2{% endif %};
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
 {% if hsts_subdomains %}
  listen 443 http3;
  listen [::]:443 http3;
--- a/backend/templates/dead_host.conf
+++ b/backend/templates/dead_host.conf
@@ -6,6 +6,7 @@ server {
 {% include "_certificates.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
+{% include "_brotli.conf" %}

 {{ advanced_config }}
  include conf.d/include/acme-challenge.conf;
--- a/backend/templates/default.conf
+++ b/backend/templates/default.conf
@@ -13,6 +13,7 @@ server {
  
  server_name _;
  
+  include conf.d/include/brotli.conf;
  include conf.d/include/force-ssl.conf;
  include conf.d/include/tls-ciphers.conf;
  include conf.d/include/acme-challenge.conf;
--- a/backend/templates/proxy_host.conf
+++ b/backend/templates/proxy_host.conf
@@ -10,6 +10,7 @@ server {
 {% include "_certificates.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
+{% include "_brotli.conf" %}

  include conf.d/include/acme-challenge.conf;
  include conf.d/include/block-exploits.conf;
--- a/backend/templates/redirection_host.conf
+++ b/backend/templates/redirection_host.conf
@@ -6,6 +6,7 @@ server {
 {% include "_certificates.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
+{% include "_brotli.conf" %}

 {{ advanced_config }}
  include conf.d/include/acme-challenge.conf;