29ff09ac95
Remove CSP from basic.conf includes
...
Too strong for general purposes.
Closes #222
2019-03-15 18:58:47 +01:00
9c6cca96c8
Release v3.0.1
2019-03-09 15:20:30 +01:00
cec616a103
SVGZ files are already compressed
...
Disable gzip function for them
Regression d2f4e5c68f
2019-03-09 15:08:44 +01:00
3b0c4c41df
Fix regexp expressions in mime-types maps
2019-03-09 13:45:33 +01:00
7e270ae657
Bump server-configs-test to v1.0.3
2019-03-09 13:17:33 +01:00
db1601f606
Use regexp in MIME-types based maps
2019-03-09 02:44:10 +01:00
06e5fc8445
Remove extra match-any regexp
2019-03-09 02:41:29 +01:00
d65cd97761
Use regexp in MIME-types based maps ( #221 )
...
Fix #220
Co-authored-by: Léo Colombaro <git@colombaro.fr>
2019-03-09 02:34:15 +01:00
50a6d793ce
Remove duplicated .conf in include
2019-02-13 14:45:52 +01:00
f600128203
Add Referrer-Policy for html document by default
2019-02-13 14:31:53 +01:00
c04dcb232f
Bump server-configs-test
2019-02-13 14:26:52 +01:00
48277fbc14
Bump server-configs-test
2019-02-13 14:16:45 +01:00
3cf23ea499
Bump server-configs-test
2019-02-13 14:10:36 +01:00
94a9cec172
Release v3.0.0
2019-02-12 17:03:13 +01:00
efafc1f52a
Use minimal env for Travis-CI builds
2019-02-12 12:53:16 +01:00
0acfbbd8fa
Bump server-configs-test
2019-02-12 12:31:41 +01:00
51f5ffab82
Clean up and prepare docs for v3
2019-02-12 12:25:30 +01:00
92a1c5df93
Let default servers be HTTP/2 compatible
2019-02-11 19:12:17 +01:00
3883f59739
Remove "duplicated" deferred
...
These suggestions are more complicated to use than just commenting them
out.
Users may face an errored situation.
Ref: a36387848fFix #199
2019-02-11 19:11:21 +01:00
a7b8831a12
fix typo in example.com.conf header comment
2019-02-11 18:03:04 +01:00
52e13535b4
Add test vhosts and Travis CI config
2019-02-11 16:18:43 +01:00
283b292c5e
Add default recommended headers
...
Since no more location directive is used, making these header
available everywhere is possible without breaking servers.
2019-02-10 22:20:05 +01:00
a4c9e2da8e
Better default certificates folder
...
Mapped as Docker Nginx image
2019-02-10 22:13:25 +01:00
6dd4cc27ed
Switch from location directives to maps based on MIME-types
...
* Expire
* X-XSS-Protection
* X-Frame-Options
* X-UA-Compatible
* Content-Security-Policy
* Access-Control-Allow-Origin
2019-02-10 21:56:10 +01:00
2d135053cb
Move MIME-type and charset declaration into their own conf files
2019-02-10 20:40:50 +01:00
452b630330
Update gzipped MIME-type following web standard
...
Source https://github.com/jshttp/mime-db
2019-02-10 20:38:23 +01:00
e21aec5822
Block access to file #.*#
...
Used to contain sensitive data
2019-02-10 20:36:26 +01:00
1f5d6359be
Bump supported Nginx to 1.8.0
2019-02-10 20:33:30 +01:00
fe7ff95a7f
Fix MIME-type
...
Add application/wasm and text/calendar
2019-02-10 20:32:53 +01:00
8a4a1ce706
Delete inline script
...
Not used internally and not maintained
2019-02-10 20:31:54 +01:00
8919496406
Remove outdated docs and fix repo structure
...
Trying to make maintenance as easier as we can
2019-02-04 14:09:06 +01:00
76be9604e3
Reflect conf.d change is doc
2019-02-01 21:57:51 +01:00
306af367e9
Move server config to conf.d folder
...
Aligning with nginx docker image
Fix #95
2019-02-01 21:57:51 +01:00
d2531ac605
Rotate ssl policies to modernize protocols recommendations
...
Closes #210
2019-02-01 16:13:22 +01:00
3472f5ab0e
Exclude repo file on export
2019-02-01 13:05:28 +01:00
930980a517
Typo
2018-12-03 15:38:57 +01:00
eeeebd0da6
Add new TLS policy 'future' ( #211 )
...
This new TLS policy embraces the best security practices and performance characteristics by sacrificing compatibility with older clients.
2018-12-02 18:40:25 +01:00
df4be14a73
Improve cache-file-descriptors.conf doc
...
Closes #203
2018-12-02 17:23:44 +01:00
df23e0ba8c
Add DH parameters note to policy_intermediate.conf ( #212 )
...
For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
2018-12-02 17:05:11 +01:00
86d8ed33ca
Improve SSL directives declarations, order and descriptions
2018-12-02 12:57:01 +01:00
5a2f750c53
Add note explaining secure eleptic curve situation for modern TLS profile preset ( #209 )
2018-11-30 12:12:02 +01:00
5f3ce4f73c
Add back web_performance_cache_expiration ( #206 )
...
remove double include h5bp/location/security_file_access.conf;
2018-11-30 11:40:33 +01:00
8141562756
Add eleptic curves for intermediate profile preset
...
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf , https://safecurves.cr.yp.to/ ).
Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 11:38:25 +01:00
9b369d23a5
Add eleptic curves for modern profile preset
...
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf , https://safecurves.cr.yp.to/ ).
Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 10:21:38 +01:00
959839d81f
Add a modern profile for SSL policy
...
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).
The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)
So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.
Fix #201
Fix #183
Fix #190
Prepare #180
Co-authored-by: aeris <aeris@users.noreply.github.com>
2018-11-29 10:39:33 +01:00
10fc3a39a6
Split SSL config
...
Prepare #180
2018-11-29 10:39:33 +01:00
1b2b4eb276
Merge #202
2018-11-27 21:43:18 +01:00
3071e67d04
Tweaks and lint
2018-11-25 22:07:01 +01:00
70aff1c744
Create CODEOWNERS
2018-11-25 18:25:04 +01:00
16284ab91e
Fix TOC link in doc
2018-11-23 18:22:35 +01:00
Léo Colombaro