Fixes #1791 by comment out OCSP stapling config

Moves ssl_ config to mostly one file since OCSP config is also linked to certificate.
This makes it easier to include this ssl config in a mail-block for a DRY config.

Author: bwbroersma

docker/webserver/nginx_templates/default.conf.template

@@ -32,13 +32,6 @@ resolver 127.0.0.11 ipv6=off valid=5s;
 
 root /var/www/internet.nl;
 
-# enable OSCP stapling
-ssl_stapling on;
-ssl_stapling_verify on;
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
-ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:secp521r1:brainpoolP512r1:x448:brainpoolP384r1:secp384r1:x25519:secp256r1:brainpoolP256r1;
-
 http2 on;
 http3 on;
 quic_gso on;

docker/webserver/nginx_templates/tls.conf.template

@@ -1,2 +1,8 @@
+# If certificate has OCSP, enable the ssl_stapling
+#ssl_stapling on;
+#ssl_stapling_verify on;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
+ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:secp521r1:brainpoolP512r1:x448:brainpoolP384r1:secp384r1:x25519:secp256r1:brainpoolP256r1;
 ssl_certificate /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/privkey.pem;