From 37dcc6dddeb65b94f9da5bd4118b8e3bdd2ffefd Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Fri, 3 Jan 2025 23:05:02 -0700
Subject: [PATCH] Update ssl_early_data configuration

---
 etc/nginx/conf.d/default.conf | 3 +++
 etc/nginx/snippets/proxy.conf | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
index 072744f..073d69e 100644
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@@ -36,6 +36,9 @@ ssl_session_ticket_key session-ticket-keys/1.key;
 ## ssl_trusted_certificate
 ## ssl_stapling_file
 
+# Make sure ssl early data is off - replay attack mitigation
+ssl_early_data off;
+
 # Cookie flags
 proxy_cookie_flags ~ secure;
 
diff --git a/etc/nginx/snippets/proxy.conf b/etc/nginx/snippets/proxy.conf
index 2ea7ce3..379d5e2 100644
--- a/etc/nginx/snippets/proxy.conf
+++ b/etc/nginx/snippets/proxy.conf
@@ -4,7 +4,7 @@
 # Force http 1.1, anything not supporting it shouldn't be used
 proxy_http_version 1.1;
 
-# Replay attack mitigation for early data
+# Signal to upstream whether ssl_early_data is used
 proxy_set_header Early-Data $ssl_early_data;
 
 # Restore visitor IP