Léo Colombaro
8919496406
Remove outdated docs and fix repo structure
...
Trying to make maintenance as easier as we can
2019-02-04 14:09:06 +01:00
Léo Colombaro
76be9604e3
Reflect conf.d change is doc
2019-02-01 21:57:51 +01:00
Léo Colombaro
306af367e9
Move server config to conf.d folder
...
Aligning with nginx docker image
Fix #95
2019-02-01 21:57:51 +01:00
Léo Colombaro
d2531ac605
Rotate ssl policies to modernize protocols recommendations
...
Closes #210
2019-02-01 16:13:22 +01:00
Léo Colombaro
3472f5ab0e
Exclude repo file on export
2019-02-01 13:05:28 +01:00
Léo Colombaro
930980a517
Typo
2018-12-03 15:38:57 +01:00
Ewout van Mansom
eeeebd0da6
Add new TLS policy 'future' ( #211 )
...
This new TLS policy embraces the best security practices and performance characteristics by sacrificing compatibility with older clients.
2018-12-02 18:40:25 +01:00
Léo Colombaro
df4be14a73
Improve cache-file-descriptors.conf doc
...
Closes #203
2018-12-02 17:23:44 +01:00
Ewout van Mansom
df23e0ba8c
Add DH parameters note to policy_intermediate.conf ( #212 )
...
For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
2018-12-02 17:05:11 +01:00
Léo Colombaro
86d8ed33ca
Improve SSL directives declarations, order and descriptions
2018-12-02 12:57:01 +01:00
Ewout van Mansom
5a2f750c53
Add note explaining secure eleptic curve situation for modern TLS profile preset ( #209 )
2018-11-30 12:12:02 +01:00
a22375
5f3ce4f73c
Add back web_performance_cache_expiration ( #206 )
...
remove double include h5bp/location/security_file_access.conf;
2018-11-30 11:40:33 +01:00
Ewout van Mansom
8141562756
Add eleptic curves for intermediate profile preset
...
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf , https://safecurves.cr.yp.to/ ).
Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 11:38:25 +01:00
Ewout van Mansom
9b369d23a5
Add eleptic curves for modern profile preset
...
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf , https://safecurves.cr.yp.to/ ).
Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 10:21:38 +01:00
Léo Colombaro
959839d81f
Add a modern profile for SSL policy
...
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).
The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)
So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.
Fix #201
Fix #183
Fix #190
Prepare #180
Co-authored-by: aeris <aeris@users.noreply.github.com>
2018-11-29 10:39:33 +01:00
Léo Colombaro
10fc3a39a6
Split SSL config
...
Prepare #180
2018-11-29 10:39:33 +01:00
Léo Colombaro
1b2b4eb276
Merge #202
2018-11-27 21:43:18 +01:00
Léo Colombaro
3071e67d04
Tweaks and lint
2018-11-25 22:07:01 +01:00
Léo Colombaro
70aff1c744
Create CODEOWNERS
2018-11-25 18:25:04 +01:00
Léo Colombaro
16284ab91e
Fix TOC link in doc
2018-11-23 18:22:35 +01:00
Léo Colombaro
f6b7e4f635
Reflect updated structure in site configs
2018-11-23 18:21:34 +01:00
Léo Colombaro
fb88c34cde
Reflect updated structure in doc
...
Also refer to inline documentation to simplify maintenance
2018-11-23 17:20:05 +01:00
Léo Colombaro
496af1cfd5
Split directives to enforce atomic structure
...
* Enforce H5BP style
* Improve inline documentation to simplify maintenance
* Prepare v3
2018-11-23 17:19:51 +01:00
Léo Colombaro
b935688c2b
Fix external links
2018-11-23 14:45:12 +01:00
Léo Colombaro
e69311d295
Fix some typos and phrasing in CONTRIBUTING.md
2018-11-23 14:30:39 +01:00
Léo Colombaro
a6d489ceab
Add .editorconfig file
2018-11-23 14:29:32 +01:00
Léo Colombaro
8f186e9205
Update repo documentation
2018-11-23 13:32:36 +01:00
Léo Colombaro
e38617e7fb
Switch to `https` when possible
2018-11-23 13:15:44 +01:00
Léo Colombaro
b0b3dd87c4
Remove mainteners promotion
2018-11-23 13:10:30 +01:00
Andrea Falco
94262e7610
Changed GeoJSON and RDF media type ( #186 )
...
* Updated GeoJSON media type
Following https://tools.ietf.org/html/rfc7946#section-12
* Updated RDF media type
Following https://tools.ietf.org/html/rfc3870#section-2
2018-11-23 12:56:17 +01:00
divinity76
b244111468
support Matroska mime types
...
mkv
mk3d
mka
2018-11-23 12:51:09 +01:00
Léo Colombaro
56d84bb509
Add a gitattributes file
...
Make GitHub's language statistics treat the `*.conf` files as Nginx configuration files
2018-11-23 12:33:48 +01:00
Johannes Müller
286a158ce7
Add IPv4 listen directive to no-default
2018-11-23 12:27:02 +01:00
Léo Colombaro
70ae5ded27
reflect mime changes in nginx.conf
2018-11-23 11:46:32 +01:00
Léo Colombaro
9c6aad83a5
web fonts mime types rfc8081
2018-11-23 11:46:32 +01:00
Léo Colombaro
08272b63c2
add mime type for javascript modules
2018-11-23 11:46:32 +01:00
Léo Colombaro
62dbd41aee
application to text mime group for javascript
...
Ref:
https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
2018-11-23 11:46:32 +01:00
isum
284ee70034
Update usage.md
...
This made it work on my box)
2018-11-23 11:44:38 +01:00
Matt Rubin
135d093a75
Replace location block `add_header` directives with `expires` directives
...
Fixes https://github.com/h5bp/server-configs-nginx/issues/193
2018-11-23 11:38:22 +01:00
Chris McKnight
006d7be396
fix(cache-busting): Support hashed asset names
2018-08-07 17:00:16 -05:00
Andy Dawson
c5c6602232
oops
2017-05-06 19:31:51 +02:00
Andy Dawson
312772d4db
Update version
2017-05-06 17:25:16 +00:00
Andy Dawson
f1e7b85323
Regenreate change log
2017-05-06 17:21:55 +00:00
Andy Dawson
3bda5b93ed
Add defaults to all directives in nginx.conf
...
The reason most of these are changed is already covered by the existing
doc block
closes #127
2017-05-06 18:30:09 +02:00
Andy Dawson
eca3919c88
Merge pull request #155 from electerious/patch-1
...
Updated gzip_types and charset_types code convention
2017-05-06 17:58:03 +02:00
Andy Dawson
bede62c386
Merge pull request #151 from JoeArizona/patch-1
...
Added mime types for JPEG-XR, markdown, and CSV
2017-05-06 17:57:06 +02:00
Andy Dawson
ba73ae2f89
Merge pull request #142 from pentago/spdy-off
...
Removed SPDY support as we're using HTTP/2 now.
2017-05-06 17:51:38 +02:00
Andy Dawson
34c2114527
Don't need that expires
2017-05-06 17:49:43 +02:00
Matthew Miller
d2f4e5c68f
Remove cache-control public and better handle svgz files
...
Fixes : #86
Fixes : #134
2017-05-06 17:48:07 +02:00
Andy Dawson
351e70671e
Don't use expire headers in doc examples
2017-05-06 17:43:34 +02:00