TLS in the caching cluster is terminated by nginx. It performs the following roles:

• TLS terminator
• HTTP/2 terminator
• Forward TLS & HTTP/2 metrics to varnish

TLS requirements for canonical domains and hence for the caching cluster are described at HTTPS. Puppetization happens in profile::cache::ssl::unified and more specifically in tlsproxy::localssl. The usual TLS configuration parameters (ciphersuites enabled and their preference order, DH parameters and optionally HSTS) happens in the puppet function ssl_ciphersuite.

HSTS header injection is performed by our varnish frontend layer in wikimedia-frontend.vcl.erb and it looks like this:

strict-transport-security: max-age=106384710; includeSubDomains; preload

OCSP stapling is performed externally to nginx. So nginx just sends a prefetched OCSP stapling response that's obtained every 12 hours using the nginx configuration directive ssl_stapling_file and a custom patch to support dual-cert setups with prefetched OCSP stapling responses. A good post about why this is being done like this can be found in APNIC's blog.

OCSP stapling prefetching is performed by update-ocsp and it's puppetization lives in sslcert::ocsp::conf which of course is invoked in the already mentioned profile::cache::ssl::unified