Commit Graph

126 Commits

Author SHA1 Message Date
Léo Colombaro 6dd4cc27ed Switch from location directives to maps based on MIME-types
* Expire
* X-XSS-Protection
* X-Frame-Options
* X-UA-Compatible
* Content-Security-Policy
* Access-Control-Allow-Origin
2019-02-10 21:56:10 +01:00
Léo Colombaro 2d135053cb
Move MIME-type and charset declaration into their own conf files 2019-02-10 20:40:50 +01:00
Léo Colombaro 452b630330
Update gzipped MIME-type following web standard
Source https://github.com/jshttp/mime-db
2019-02-10 20:38:23 +01:00
Léo Colombaro e21aec5822
Block access to file #.*#
Used to contain sensitive data
2019-02-10 20:36:26 +01:00
Léo Colombaro d2531ac605 Rotate ssl policies to modernize protocols recommendations
Closes #210
2019-02-01 16:13:22 +01:00
Ewout van Mansom eeeebd0da6 Add new TLS policy 'future' (#211)
This new TLS policy embraces the best security practices and performance characteristics by sacrificing compatibility with older clients.
2018-12-02 18:40:25 +01:00
Léo Colombaro df4be14a73
Improve cache-file-descriptors.conf doc
Closes #203
2018-12-02 17:23:44 +01:00
Ewout van Mansom df23e0ba8c Add DH parameters note to policy_intermediate.conf (#212)
For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
2018-12-02 17:05:11 +01:00
Léo Colombaro 86d8ed33ca
Improve SSL directives declarations, order and descriptions 2018-12-02 12:57:01 +01:00
Ewout van Mansom 5a2f750c53 Add note explaining secure eleptic curve situation for modern TLS profile preset (#209) 2018-11-30 12:12:02 +01:00
a22375 5f3ce4f73c Add back web_performance_cache_expiration (#206)
remove double include h5bp/location/security_file_access.conf;
2018-11-30 11:40:33 +01:00
Ewout van Mansom 8141562756 Add eleptic curves for intermediate profile preset
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf, https://safecurves.cr.yp.to/).

Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 11:38:25 +01:00
Ewout van Mansom 9b369d23a5 Add eleptic curves for modern profile preset
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf, https://safecurves.cr.yp.to/).

Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 10:21:38 +01:00
Léo Colombaro 959839d81f Add a modern profile for SSL policy
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)

So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.

Fix #201
Fix #183
Fix #190
Prepare #180

Co-authored-by: aeris <aeris@users.noreply.github.com>
2018-11-29 10:39:33 +01:00
Léo Colombaro 10fc3a39a6 Split SSL config
Prepare #180
2018-11-29 10:39:33 +01:00
Léo Colombaro 1b2b4eb276
Merge #202 2018-11-27 21:43:18 +01:00
Léo Colombaro 3071e67d04
Tweaks and lint 2018-11-25 22:07:01 +01:00
Léo Colombaro 496af1cfd5
Split directives to enforce atomic structure
* Enforce H5BP style
* Improve inline documentation to simplify maintenance
* Prepare v3
2018-11-23 17:19:51 +01:00
Léo Colombaro b935688c2b
Fix external links 2018-11-23 14:45:12 +01:00
Léo Colombaro e38617e7fb
Switch to `https` when possible 2018-11-23 13:15:44 +01:00
Matt Rubin 135d093a75 Replace location block `add_header` directives with `expires` directives
Fixes https://github.com/h5bp/server-configs-nginx/issues/193
2018-11-23 11:38:22 +01:00
Chris McKnight 006d7be396
fix(cache-busting): Support hashed asset names 2018-08-07 17:00:16 -05:00
Andy Dawson ba73ae2f89 Merge pull request #142 from pentago/spdy-off
Removed SPDY support as we're using HTTP/2 now.
2017-05-06 17:51:38 +02:00
Andy Dawson 34c2114527 Don't need that expires 2017-05-06 17:49:43 +02:00
Matthew Miller d2f4e5c68f Remove cache-control public and better handle svgz files
Fixes: #86

Fixes: #134
2017-05-06 17:48:07 +02:00
Andy Dawson 1cc4b14e51 Merge pull request #168 from alanorth/cache-control-public
Use Cache-Control instead of Expires
2017-05-06 17:39:38 +02:00
Andy Dawson 391375e1e7 Merge pull request #171 from quantumpacket/patch-1
Remove Unnecessary Trailing Semicolon
2017-05-06 17:01:07 +02:00
0ri0n 1648e2f0d4 Update ssl_ciphers To Latest Mozilla Intermediate
Updates to latest ciphers list for Mozilla Intermediate, which also adds support for ChaCha20 and Poly1305.
2017-01-08 12:18:04 -05:00
0ri0n 9c7e84f54f Remove Unnecessary Trailing Semicolon
No need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/) for getting on the preload list to fail with an error about the semicolon.
2017-01-07 12:10:02 -05:00
Alan Orth fd84b1f429
Use Cache-Control max-age instead of Expires headers
Cache-Control max-age was introduced in HTTP/1.1 over ten years ago
and is preferred to Expires. This replaces all expiry dates with an
equivalent max-age in seconds.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
See: https://www.mnot.net/blog/2007/05/15/expires_max-age
2016-11-15 15:46:34 +02:00
Alan Orth b0c1406cf9
Remove references to Cache-Control public
A previous commit removed some, but missed these. Where a location
directive was using Expires to set a future expiry in conjunction
with Cache-Control public, I have replaced the time with an equal
max-age.

Furthermore, Google's web performance guide says that "public" is
implicit if there is a max-age specified.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-15 15:37:26 +02:00
Leon Klingele 934eaf3f87 Always add security-relevant headers to the response, regardless of the response code (implements #147)
From nginx' add_header documentation:
```
add_header Adds the specified field to a response header provided that
the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
```
At least for all security-relevant headers this should not be the case
and the header should always be added.
2016-07-07 13:29:58 +02:00
Pentago 046aaaee84 Removed SPDY support as we're using HTTP/2 now. Ref: df102c6 2016-06-13 20:31:13 +02:00
Andy Dawson b8fdd45542 Remove access log for probably-not-static files
closes #131
2016-06-08 09:55:58 +02:00
Andy Dawson d84f80ac98 Remove cache-control public
Closes #134
2016-06-08 09:55:00 +02:00
root 025b203b19 preload added to ssl.conf 2016-06-08 09:44:09 +02:00
Chris Chapman 09f500815c Fix capitalization of includeSubDomains 2016-06-04 12:22:43 -06:00
Alan Orth ec4e0303f4 Correct syntax for keepalive_timeout
It doesn't seem to be a fatal error, but the keepalive_timeout
value actually requires "s" (for seconds). Another occurence of
this was fixed in 35434b3361 but
these slipped through.

See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-14 10:25:01 +02:00
Bo-Yi Wu 3270937c3a fix format.
Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2015-12-04 22:25:31 +08:00
Andy Dawson 94b3680c9d Merge pull request #105 from Cryszon/patch-1
Updated locations to match h5bp's Apache config
2015-09-11 10:55:01 +02:00
AD7six faabaad16b Update to mozilla's wiki's current intermediate set 2015-09-11 08:41:05 +00:00
Kimmo Salmela d37a4c7165 Updated locations to match h5bp's Apache config
See https://github.com/h5bp/server-configs-apache/issues/31 for `well-known` change.
2015-06-08 15:56:19 +03:00
Andy Dawson fce0e368c1 Don't use invalid examples
A wildcard subdomain isn't valid syntax for a ACAO header
2015-05-29 15:32:23 +02:00
Joey Geiger 1089839e54 Fix typo in `expires.conf`
Close h5bp/server-configs-nginx#82.
2014-11-17 20:31:24 +02:00
Andy Dawson 228c5ccca0 Merge pull request #78 from ChrisMcKee/patch-4
Extra security headers without a home
2014-10-30 16:02:01 +01:00
Chris McKee cb0ca2934c Update extra-security.conf 2014-10-30 09:59:06 +00:00
Andy Dawson 67a259a471 Merge pull request #77 from ChrisMcKee/patch-3
Change note / add missing header
2014-10-29 20:03:19 +01:00
Andy Dawson 85018fa236 avoid long lines 2014-10-29 19:47:17 +01:00
Andy Dawson 62ef8ddbcc Merge pull request #75 from ChrisMcKee/patch-1
add secondary google dns ip and 2 failover DYN DNS public dns ips, and t...
2014-10-29 19:46:29 +01:00
Chris McKee a3cf3aab00 Extra security headers without a home 2014-10-28 21:28:03 +00:00
Chris McKee a4b121a2e7 Change note / add missing header 2014-10-28 21:22:27 +00:00
Chris McKee a97cbecd12 Update Cipher list to latest add version of STS
Updated latest "intermediate" ciphers from mozilla
Add another version of the STS header including subdomains and comments
Add note at base to consider ssl-stapling
2014-10-28 21:20:37 +00:00
Chris McKee 6121b47151 add secondary google dns ip and 2 failover DYN DNS public dns ips, and timeouts 2014-10-28 21:09:57 +00:00
Cătălin Mariș c7a2d3b476 Add info on ngx_pagespeed & content transformation
Provide information about `ngx_pagespeed` not rewriting any / some
of the resources if the `Cache-Control: no-transform` response header
is set.

Ref: https://developers.google.com/speed/pagespeed/module/configuration#notransform

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thanks to @Nikita-S-Doroshenko for pointing this out!

Ref: h5bp/server-configs-apache#46
2014-10-23 14:08:00 +03:00
Andy Dawson 764c707262 Merge pull request #69 from mikealmond/ssl-updates
Updated SSL ciphers and added note about POODLE
2014-10-17 21:06:10 +02:00
Daniel Marquard 99cdb58475 HSTS off by default
Consensus to disable HSTS by default.
2014-10-16 05:40:48 -04:00
Mike Almond 4cd1367b43 Remove quotes from SSL cipher list 2014-10-15 13:47:33 -04:00
Mike Almond fe256f3be7 Add note about POODLE attack against SSLv3 2014-10-15 11:22:09 -04:00
Mike Almond 25cbfb8942 Update SSL ciphers to the updated defaults by Mozilla 2014-10-15 11:17:04 -04:00
Daniel Marquard 5525eebf2b Removed "includeSubDomains"
As a best practice, Nginx should only direct clients to use the certificate on specified domains. This is because not all servers using other subdomains necessarily listen on 443 and because, unless it is a wildcard certificate, it likely won't be valid on subdomains other than WWW.
2014-10-14 00:16:22 -04:00
Przemek Matylla f9b58cd883 Add configs for WOFF 2.0 font files (`.woff2`)
Ref: http://www.w3.org/TR/WOFF2/
     h5bp/server-configs-apache#32

Close: h5bp/server-configs-nginx#54
2014-09-03 15:31:25 +03:00
Matthew Haughton b75cbfdafe Remove Chrome Frame related comment
Fix h5bp/server-configs-nginx#30
Close h5bp/server-configs-nginx#62
2014-09-03 15:16:05 +03:00
AD7six 332998a2db use a much longer ssl_session_timeout
To match the settiongs from istlsfastyet.com

Add a mention of ssl_buffer_size even though it can 't be enabled yet
2014-07-28 14:56:27 +00:00
AD7six 72f9509a5e disable ssl_session_tickets
it's only recently added so is a config error otherwise
2014-07-28 14:42:35 +00:00
AD7six 7295a765ee add stubs for ssl-stapling and spdy 2014-07-28 14:38:22 +00:00
AD7six 759bf84163 Default to use HTTP strict transport security 2014-07-28 14:30:00 +00:00
AD7six 398036440b add increased ssl timeout 2014-07-28 14:29:04 +00:00
AD7six d996d2da0c turn off ssl session tickets
Stolen from istlsfastyet.com's config

It is probably a more logical default to turn off session tickets
given the diff linked in the comment block.
2014-07-28 14:20:58 +00:00
AD7six 08d4bbbd04 remove SSLv3 from the ssl protocol list
As suggested in #44, and since h5bp doesn't support IE6 it seems to be
appropriate to remove a protocol which is in the list only to permit use
with IE6.
2014-07-28 14:16:09 +00:00
AD7six 029ff47286 move ssl config to a seperate file 2014-07-28 14:08:19 +00:00
Marvin Roger 03dc5e07e6 Fix typo
Close h5bp/server-configs-nginx#48.
2014-06-26 22:42:12 +03:00
AD7six bf0e3657f9 apply cross-domain changes proposed in #23
closes #23
2014-04-08 10:13:29 +00:00
Bo-Yi Wu b4d4ebb357 Remove Chrome Frame meta tag. Reference h5bp/server-configs-nginx#2 2013-12-21 17:41:25 +08:00
Syed I.R 41e8ef9992 Renamed h5bp.conf to basic.conf README
Updated with correct filename.
2013-12-03 23:50:27 +05:30
AD7six 560bdab9cf Move config snippets around
Make it more obvious which snippets are location based, and which
are just directives. Need to provide more files like basic.conf to
cover more of the common use cases.
2013-11-22 10:50:58 +00:00
AD7six e476b08d11 rename conf folder to h5bp
The name "conf" is potentially confusing as something which should be inclued
en masse rather than a folder of config snippets.

Closes #13
2013-11-20 18:06:02 +00:00