Commit Graph

351 Commits

Author SHA1 Message Date
Léo Colombaro 86d8ed33ca
Improve SSL directives declarations, order and descriptions 2018-12-02 12:57:01 +01:00
Ewout van Mansom 5a2f750c53 Add note explaining secure eleptic curve situation for modern TLS profile preset (#209) 2018-11-30 12:12:02 +01:00
a22375 5f3ce4f73c Add back web_performance_cache_expiration (#206)
remove double include h5bp/location/security_file_access.conf;
2018-11-30 11:40:33 +01:00
Ewout van Mansom 8141562756 Add eleptic curves for intermediate profile preset
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf, https://safecurves.cr.yp.to/).

Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 11:38:25 +01:00
Ewout van Mansom 9b369d23a5 Add eleptic curves for modern profile preset
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf, https://safecurves.cr.yp.to/).

Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 10:21:38 +01:00
Léo Colombaro 959839d81f Add a modern profile for SSL policy
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)

So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.

Fix #201
Fix #183
Fix #190
Prepare #180

Co-authored-by: aeris <aeris@users.noreply.github.com>
2018-11-29 10:39:33 +01:00
Léo Colombaro 10fc3a39a6 Split SSL config
Prepare #180
2018-11-29 10:39:33 +01:00
Léo Colombaro 1b2b4eb276
Merge #202 2018-11-27 21:43:18 +01:00
Léo Colombaro 3071e67d04
Tweaks and lint 2018-11-25 22:07:01 +01:00
Léo Colombaro 70aff1c744
Create CODEOWNERS 2018-11-25 18:25:04 +01:00
Léo Colombaro 16284ab91e
Fix TOC link in doc 2018-11-23 18:22:35 +01:00
Léo Colombaro f6b7e4f635
Reflect updated structure in site configs 2018-11-23 18:21:34 +01:00
Léo Colombaro fb88c34cde
Reflect updated structure in doc
Also refer to inline documentation to simplify maintenance
2018-11-23 17:20:05 +01:00
Léo Colombaro 496af1cfd5
Split directives to enforce atomic structure
* Enforce H5BP style
* Improve inline documentation to simplify maintenance
* Prepare v3
2018-11-23 17:19:51 +01:00
Léo Colombaro b935688c2b
Fix external links 2018-11-23 14:45:12 +01:00
Léo Colombaro e69311d295
Fix some typos and phrasing in CONTRIBUTING.md 2018-11-23 14:30:39 +01:00
Léo Colombaro a6d489ceab
Add .editorconfig file 2018-11-23 14:29:32 +01:00
Léo Colombaro 8f186e9205
Update repo documentation 2018-11-23 13:32:36 +01:00
Léo Colombaro e38617e7fb
Switch to `https` when possible 2018-11-23 13:15:44 +01:00
Léo Colombaro b0b3dd87c4
Remove mainteners promotion 2018-11-23 13:10:30 +01:00
Andrea Falco 94262e7610 Changed GeoJSON and RDF media type (#186)
* Updated GeoJSON media type

Following https://tools.ietf.org/html/rfc7946#section-12

* Updated RDF media type

Following https://tools.ietf.org/html/rfc3870#section-2
2018-11-23 12:56:17 +01:00
divinity76 b244111468 support Matroska mime types
mkv
mk3d
mka
2018-11-23 12:51:09 +01:00
Léo Colombaro 56d84bb509
Add a gitattributes file
Make GitHub's language statistics treat the `*.conf` files as Nginx configuration files
2018-11-23 12:33:48 +01:00
Johannes Müller 286a158ce7 Add IPv4 listen directive to no-default 2018-11-23 12:27:02 +01:00
Léo Colombaro 70ae5ded27 reflect mime changes in nginx.conf 2018-11-23 11:46:32 +01:00
Léo Colombaro 9c6aad83a5 web fonts mime types rfc8081 2018-11-23 11:46:32 +01:00
Léo Colombaro 08272b63c2 add mime type for javascript modules 2018-11-23 11:46:32 +01:00
Léo Colombaro 62dbd41aee application to text mime group for javascript
Ref:
https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
2018-11-23 11:46:32 +01:00
isum 284ee70034 Update usage.md
This made it work on my box)
2018-11-23 11:44:38 +01:00
Matt Rubin 135d093a75 Replace location block `add_header` directives with `expires` directives
Fixes https://github.com/h5bp/server-configs-nginx/issues/193
2018-11-23 11:38:22 +01:00
Chris McKnight 006d7be396
fix(cache-busting): Support hashed asset names 2018-08-07 17:00:16 -05:00
Andy Dawson c5c6602232 oops 2017-05-06 19:31:51 +02:00
Andy Dawson 312772d4db Update version 2017-05-06 17:25:16 +00:00
Andy Dawson f1e7b85323 Regenreate change log 2017-05-06 17:21:55 +00:00
Andy Dawson 3bda5b93ed Add defaults to all directives in nginx.conf
The reason most of these are changed is already covered by the existing
doc block

closes #127
2017-05-06 18:30:09 +02:00
Andy Dawson eca3919c88 Merge pull request #155 from electerious/patch-1
Updated gzip_types and charset_types code convention
2017-05-06 17:58:03 +02:00
Andy Dawson bede62c386 Merge pull request #151 from JoeArizona/patch-1
Added mime types for JPEG-XR, markdown, and CSV
2017-05-06 17:57:06 +02:00
Andy Dawson ba73ae2f89 Merge pull request #142 from pentago/spdy-off
Removed SPDY support as we're using HTTP/2 now.
2017-05-06 17:51:38 +02:00
Andy Dawson 34c2114527 Don't need that expires 2017-05-06 17:49:43 +02:00
Matthew Miller d2f4e5c68f Remove cache-control public and better handle svgz files
Fixes: #86

Fixes: #134
2017-05-06 17:48:07 +02:00
Andy Dawson 351e70671e Don't use expire headers in doc examples 2017-05-06 17:43:34 +02:00
Andy Dawson 1cc4b14e51 Merge pull request #168 from alanorth/cache-control-public
Use Cache-Control instead of Expires
2017-05-06 17:39:38 +02:00
Johannes Müller c96e0adf12 Enable IPv6 for no-default 2017-05-06 17:22:11 +02:00
Andy Dawson 391375e1e7 Merge pull request #171 from quantumpacket/patch-1
Remove Unnecessary Trailing Semicolon
2017-05-06 17:01:07 +02:00
Andy Dawson 780aceba92 Merge pull request #172 from quantumpacket/patch-2
Update ssl_ciphers To Latest Mozilla Intermediate
2017-05-06 16:59:17 +02:00
0ri0n 1648e2f0d4 Update ssl_ciphers To Latest Mozilla Intermediate
Updates to latest ciphers list for Mozilla Intermediate, which also adds support for ChaCha20 and Poly1305.
2017-01-08 12:18:04 -05:00
0ri0n 9c7e84f54f Remove Unnecessary Trailing Semicolon
No need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/) for getting on the preload list to fail with an error about the semicolon.
2017-01-07 12:10:02 -05:00
Alan Orth fd84b1f429
Use Cache-Control max-age instead of Expires headers
Cache-Control max-age was introduced in HTTP/1.1 over ten years ago
and is preferred to Expires. This replaces all expiry dates with an
equivalent max-age in seconds.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
See: https://www.mnot.net/blog/2007/05/15/expires_max-age
2016-11-15 15:46:34 +02:00
Alan Orth b0c1406cf9
Remove references to Cache-Control public
A previous commit removed some, but missed these. Where a location
directive was using Expires to set a future expiry in conjunction
with Cache-Control public, I have replaced the time with an equal
max-age.

Furthermore, Google's web performance guide says that "public" is
implicit if there is a max-age specified.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-15 15:37:26 +02:00
Andy Dawson cb3dc0554e Merge pull request #148 from leonklingele/add-header-always
Always add security-relevant headers to the response, regardless of the response code (implements #147)
2016-09-09 16:39:54 +02:00