feat(tls): add ocspStapling to certificate config

Expose the OCSP Stapling refresh interval (seconds) on the TLS certificate object in the inbound security form, defaulting to 3600s to match xray-core. Covers both file-backed and inline cert shapes.
2026-06-04 03:19:34 +00:00 · 2026-06-03 17:49:36 +02:00
parent 55d6729955
commit 1a64d7e9de
5 changed files with 17 additions and 1 deletions
--- a/frontend/src/pages/inbounds/form/security/tls.tsx
+++ b/frontend/src/pages/inbounds/form/security/tls.tsx
@@ -1,5 +1,5 @@
 import { useTranslation } from 'react-i18next';
-import { Button, Form, Input, Radio, Select, Space, Switch } from 'antd';
+import { Button, Form, Input, InputNumber, Radio, Select, Space, Switch } from 'antd';
 import { MinusOutlined, PlusOutlined, ReloadOutlined } from '@ant-design/icons';

 import {
@@ -113,6 +113,7 @@ export default function TlsForm({
                  keyFile: '',
                  certificate: [],
                  key: [],
+                  ocspStapling: 3600,
                  oneTimeLoading: false,
                  usage: 'encipherment',
                  buildChain: false,
@@ -218,6 +219,12 @@ export default function TlsForm({
                    );
                  }}
                </Form.Item>
+                <Form.Item
+                  name={[certField.name, 'ocspStapling']}
+                  label="OCSP Stapling"
+                >
+                  <InputNumber min={0} addonAfter="s" style={{ width: '50%' }} />
+                </Form.Item>
                <Form.Item
                  name={[certField.name, 'oneTimeLoading']}
                  label={t('pages.inbounds.form.oneTimeLoading')}
--- a/frontend/src/pages/inbounds/form/useSecurityActions.ts
+++ b/frontend/src/pages/inbounds/form/useSecurityActions.ts
@@ -167,6 +167,7 @@ export function useSecurityActions({ form, setSaving, messageApi, nodeId }: UseS
        keyFile: '',
        certificate: [],
        key: [],
+        ocspStapling: 3600,
        oneTimeLoading: false,
        usage: 'encipherment',
        buildChain: false,
--- a/frontend/src/schemas/protocols/security/tls.ts
+++ b/frontend/src/schemas/protocols/security/tls.ts
@@ -34,6 +34,7 @@ export type TlsCertUsage = z.infer<typeof TlsCertUsageSchema>;
 export const TlsCertFileSchema = z.object({
  certificateFile: z.string().min(1),
  keyFile: z.string().min(1),
+  ocspStapling: z.number().default(3600),
  oneTimeLoading: z.boolean().default(false),
  usage: TlsCertUsageSchema.default('encipherment'),
  buildChain: z.boolean().default(false),
@@ -41,6 +42,7 @@ export const TlsCertFileSchema = z.object({
 export const TlsCertInlineSchema = z.object({
  certificate: z.array(z.string()),
  key: z.array(z.string()),
+  ocspStapling: z.number().default(3600),
  oneTimeLoading: z.boolean().default(false),
  usage: TlsCertUsageSchema.default('encipherment'),
  buildChain: z.boolean().default(false),
--- a/frontend/src/test/snapshots/inbound-full.test.ts.snap
+++ b/frontend/src/test/snapshots/inbound-full.test.ts.snap
@@ -55,6 +55,7 @@ exports[`InboundSchema (full) fixtures > parses hysteria-v1-tls byte-stably 1`]
          "buildChain": false,
          "certificateFile": "/etc/ssl/certs/hysteria.crt",
          "keyFile": "/etc/ssl/private/hysteria.key",
+          "ocspStapling": 3600,
          "oneTimeLoading": false,
          "usage": "encipherment",
        },
@@ -193,6 +194,7 @@ exports[`InboundSchema (full) fixtures > parses trojan-ws-tls byte-stably 1`] =
          "buildChain": false,
          "certificateFile": "/etc/ssl/certs/trojan.crt",
          "keyFile": "/etc/ssl/private/trojan.key",
+          "ocspStapling": 3600,
          "oneTimeLoading": false,
          "usage": "encipherment",
        },
@@ -365,6 +367,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls byte-stably 1`] = `
          "buildChain": false,
          "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
          "keyFile": "/etc/ssl/private/cdn.example.test.key",
+          "ocspStapling": 3600,
          "oneTimeLoading": false,
          "usage": "encipherment",
        },
@@ -453,6 +456,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls-pinned byte-stably
          "buildChain": false,
          "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
          "keyFile": "/etc/ssl/private/cdn.example.test.key",
+          "ocspStapling": 3600,
          "oneTimeLoading": false,
          "usage": "encipherment",
        },
@@ -547,6 +551,7 @@ exports[`InboundSchema (full) fixtures > parses vmess-tcp-tls byte-stably 1`] =
          "buildChain": false,
          "certificateFile": "/etc/ssl/certs/vmess.crt",
          "keyFile": "/etc/ssl/private/vmess.key",
+          "ocspStapling": 3600,
          "oneTimeLoading": false,
          "usage": "encipherment",
        },
--- a/frontend/src/test/snapshots/security.test.ts.snap
+++ b/frontend/src/test/snapshots/security.test.ts.snap
@@ -51,6 +51,7 @@ exports[`SecuritySettingsSchema fixtures > parses tls-cert-file byte-stably 1`]
        "buildChain": false,
        "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
        "keyFile": "/etc/ssl/private/cdn.example.test.key",
+        "ocspStapling": 3600,
        "oneTimeLoading": false,
        "usage": "encipherment",
      },