Commit Graph

441 Commits

Author SHA1 Message Date
Léo Colombaro 00373398ef
Keep testing CSP headers 2019-03-15 19:01:48 +01:00
Léo Colombaro 29ff09ac95
Remove CSP from basic.conf includes
Too strong for general purposes.

Closes #222
2019-03-15 18:58:47 +01:00
Léo Colombaro 9c6cca96c8
Release v3.0.1 2019-03-09 15:20:30 +01:00
Léo Colombaro cec616a103
SVGZ files are already compressed
Disable gzip function for them
Regression d2f4e5c68f
2019-03-09 15:08:44 +01:00
Léo Colombaro 3b0c4c41df
Fix regexp expressions in mime-types maps 2019-03-09 13:45:33 +01:00
Léo Colombaro 7e270ae657
Bump server-configs-test to v1.0.3 2019-03-09 13:17:33 +01:00
Léo Colombaro db1601f606
Use regexp in MIME-types based maps 2019-03-09 02:44:10 +01:00
Léo Colombaro 06e5fc8445
Remove extra match-any regexp 2019-03-09 02:41:29 +01:00
Mark Woon d65cd97761 Use regexp in MIME-types based maps (#221)
Fix #220

Co-authored-by: Léo Colombaro <git@colombaro.fr>
2019-03-09 02:34:15 +01:00
Léo Colombaro 50a6d793ce
Remove duplicated .conf in include 2019-02-13 14:45:52 +01:00
Léo Colombaro f600128203
Add Referrer-Policy for html document by default 2019-02-13 14:31:53 +01:00
Léo Colombaro c04dcb232f
Bump server-configs-test 2019-02-13 14:26:52 +01:00
Léo Colombaro 48277fbc14
Bump server-configs-test 2019-02-13 14:16:45 +01:00
Léo Colombaro 3cf23ea499
Bump server-configs-test 2019-02-13 14:10:36 +01:00
Léo Colombaro 94a9cec172 Release v3.0.0 2019-02-12 17:03:13 +01:00
Léo Colombaro efafc1f52a
Use minimal env for Travis-CI builds 2019-02-12 12:53:16 +01:00
Léo Colombaro 0acfbbd8fa
Bump server-configs-test 2019-02-12 12:31:41 +01:00
Léo Colombaro 51f5ffab82
Clean up and prepare docs for v3 2019-02-12 12:25:30 +01:00
Léo Colombaro 92a1c5df93
Let default servers be HTTP/2 compatible 2019-02-11 19:12:17 +01:00
Léo Colombaro 3883f59739
Remove "duplicated" deferred
These suggestions are more complicated to use than just commenting them
out.
Users may face an errored situation.

Ref: a36387848f

Fix #199
2019-02-11 19:11:21 +01:00
Romario Maxwell a7b8831a12 fix typo in example.com.conf header comment 2019-02-11 18:03:04 +01:00
Léo Colombaro 52e13535b4 Add test vhosts and Travis CI config 2019-02-11 16:18:43 +01:00
Léo Colombaro 283b292c5e
Add default recommended headers
Since no more location directive is used, making these header
available everywhere is possible without breaking servers.
2019-02-10 22:20:05 +01:00
Léo Colombaro a4c9e2da8e
Better default certificates folder
Mapped as Docker Nginx image
2019-02-10 22:13:25 +01:00
Léo Colombaro 6dd4cc27ed Switch from location directives to maps based on MIME-types
* Expire
* X-XSS-Protection
* X-Frame-Options
* X-UA-Compatible
* Content-Security-Policy
* Access-Control-Allow-Origin
2019-02-10 21:56:10 +01:00
Léo Colombaro 2d135053cb
Move MIME-type and charset declaration into their own conf files 2019-02-10 20:40:50 +01:00
Léo Colombaro 452b630330
Update gzipped MIME-type following web standard
Source https://github.com/jshttp/mime-db
2019-02-10 20:38:23 +01:00
Léo Colombaro e21aec5822
Block access to file #.*#
Used to contain sensitive data
2019-02-10 20:36:26 +01:00
Léo Colombaro 1f5d6359be
Bump supported Nginx to 1.8.0 2019-02-10 20:33:30 +01:00
Léo Colombaro fe7ff95a7f
Fix MIME-type
Add application/wasm and text/calendar
2019-02-10 20:32:53 +01:00
Léo Colombaro 8a4a1ce706
Delete inline script
Not used internally and not maintained
2019-02-10 20:31:54 +01:00
Léo Colombaro 8919496406
Remove outdated docs and fix repo structure
Trying to make maintenance as easier as we can
2019-02-04 14:09:06 +01:00
Léo Colombaro 76be9604e3 Reflect conf.d change is doc 2019-02-01 21:57:51 +01:00
Léo Colombaro 306af367e9 Move server config to conf.d folder
Aligning with nginx docker image
Fix #95
2019-02-01 21:57:51 +01:00
Léo Colombaro d2531ac605 Rotate ssl policies to modernize protocols recommendations
Closes #210
2019-02-01 16:13:22 +01:00
Léo Colombaro 3472f5ab0e
Exclude repo file on export 2019-02-01 13:05:28 +01:00
Léo Colombaro 930980a517
Typo 2018-12-03 15:38:57 +01:00
Ewout van Mansom eeeebd0da6 Add new TLS policy 'future' (#211)
This new TLS policy embraces the best security practices and performance characteristics by sacrificing compatibility with older clients.
2018-12-02 18:40:25 +01:00
Léo Colombaro df4be14a73
Improve cache-file-descriptors.conf doc
Closes #203
2018-12-02 17:23:44 +01:00
Ewout van Mansom df23e0ba8c Add DH parameters note to policy_intermediate.conf (#212)
For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
2018-12-02 17:05:11 +01:00
Léo Colombaro 86d8ed33ca
Improve SSL directives declarations, order and descriptions 2018-12-02 12:57:01 +01:00
Ewout van Mansom 5a2f750c53 Add note explaining secure eleptic curve situation for modern TLS profile preset (#209) 2018-11-30 12:12:02 +01:00
a22375 5f3ce4f73c Add back web_performance_cache_expiration (#206)
remove double include h5bp/location/security_file_access.conf;
2018-11-30 11:40:33 +01:00
Ewout van Mansom 8141562756 Add eleptic curves for intermediate profile preset
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf, https://safecurves.cr.yp.to/).

Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 11:38:25 +01:00
Ewout van Mansom 9b369d23a5 Add eleptic curves for modern profile preset
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf, https://safecurves.cr.yp.to/).

Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 10:21:38 +01:00
Léo Colombaro 959839d81f Add a modern profile for SSL policy
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)

So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.

Fix #201
Fix #183
Fix #190
Prepare #180

Co-authored-by: aeris <aeris@users.noreply.github.com>
2018-11-29 10:39:33 +01:00
Léo Colombaro 10fc3a39a6 Split SSL config
Prepare #180
2018-11-29 10:39:33 +01:00
Léo Colombaro 1b2b4eb276
Merge #202 2018-11-27 21:43:18 +01:00
Léo Colombaro 3071e67d04
Tweaks and lint 2018-11-25 22:07:01 +01:00
Léo Colombaro 70aff1c744
Create CODEOWNERS 2018-11-25 18:25:04 +01:00