959839d81f
Add a modern profile for SSL policy
...
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).
The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)
So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.
Fix #201
Fix #183
Fix #190
Prepare #180
Co-authored-by: aeris <aeris@users.noreply.github.com>
2018-11-29 10:39:33 +01:00
10fc3a39a6
Split SSL config
...
Prepare #180
2018-11-29 10:39:33 +01:00
1b2b4eb276
Merge #202
2018-11-27 21:43:18 +01:00
3071e67d04
Tweaks and lint
2018-11-25 22:07:01 +01:00
70aff1c744
Create CODEOWNERS
2018-11-25 18:25:04 +01:00
16284ab91e
Fix TOC link in doc
2018-11-23 18:22:35 +01:00
f6b7e4f635
Reflect updated structure in site configs
2018-11-23 18:21:34 +01:00
fb88c34cde
Reflect updated structure in doc
...
Also refer to inline documentation to simplify maintenance
2018-11-23 17:20:05 +01:00
496af1cfd5
Split directives to enforce atomic structure
...
* Enforce H5BP style
* Improve inline documentation to simplify maintenance
* Prepare v3
2018-11-23 17:19:51 +01:00
b935688c2b
Fix external links
2018-11-23 14:45:12 +01:00
e69311d295
Fix some typos and phrasing in CONTRIBUTING.md
2018-11-23 14:30:39 +01:00
a6d489ceab
Add .editorconfig file
2018-11-23 14:29:32 +01:00
8f186e9205
Update repo documentation
2018-11-23 13:32:36 +01:00
e38617e7fb
Switch to `https` when possible
2018-11-23 13:15:44 +01:00
b0b3dd87c4
Remove mainteners promotion
2018-11-23 13:10:30 +01:00
94262e7610
Changed GeoJSON and RDF media type ( #186 )
...
* Updated GeoJSON media type
Following https://tools.ietf.org/html/rfc7946#section-12
* Updated RDF media type
Following https://tools.ietf.org/html/rfc3870#section-2
2018-11-23 12:56:17 +01:00
b244111468
support Matroska mime types
...
mkv
mk3d
mka
2018-11-23 12:51:09 +01:00
56d84bb509
Add a gitattributes file
...
Make GitHub's language statistics treat the `*.conf` files as Nginx configuration files
2018-11-23 12:33:48 +01:00
286a158ce7
Add IPv4 listen directive to no-default
2018-11-23 12:27:02 +01:00
70ae5ded27
reflect mime changes in nginx.conf
2018-11-23 11:46:32 +01:00
9c6aad83a5
web fonts mime types rfc8081
2018-11-23 11:46:32 +01:00
08272b63c2
add mime type for javascript modules
2018-11-23 11:46:32 +01:00
62dbd41aee
application to text mime group for javascript
...
Ref:
https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
2018-11-23 11:46:32 +01:00
284ee70034
Update usage.md
...
This made it work on my box)
2018-11-23 11:44:38 +01:00
135d093a75
Replace location block `add_header` directives with `expires` directives
...
Fixes https://github.com/h5bp/server-configs-nginx/issues/193
2018-11-23 11:38:22 +01:00
006d7be396
fix(cache-busting): Support hashed asset names
2018-08-07 17:00:16 -05:00
c5c6602232
oops
2017-05-06 19:31:51 +02:00
312772d4db
Update version
2017-05-06 17:25:16 +00:00
f1e7b85323
Regenreate change log
2017-05-06 17:21:55 +00:00
3bda5b93ed
Add defaults to all directives in nginx.conf
...
The reason most of these are changed is already covered by the existing
doc block
closes #127
2017-05-06 18:30:09 +02:00
eca3919c88
Merge pull request #155 from electerious/patch-1
...
Updated gzip_types and charset_types code convention
2017-05-06 17:58:03 +02:00
bede62c386
Merge pull request #151 from JoeArizona/patch-1
...
Added mime types for JPEG-XR, markdown, and CSV
2017-05-06 17:57:06 +02:00
ba73ae2f89
Merge pull request #142 from pentago/spdy-off
...
Removed SPDY support as we're using HTTP/2 now.
2017-05-06 17:51:38 +02:00
34c2114527
Don't need that expires
2017-05-06 17:49:43 +02:00
d2f4e5c68f
Remove cache-control public and better handle svgz files
...
Fixes : #86
Fixes : #134
2017-05-06 17:48:07 +02:00
351e70671e
Don't use expire headers in doc examples
2017-05-06 17:43:34 +02:00
1cc4b14e51
Merge pull request #168 from alanorth/cache-control-public
...
Use Cache-Control instead of Expires
2017-05-06 17:39:38 +02:00
c96e0adf12
Enable IPv6 for no-default
2017-05-06 17:22:11 +02:00
391375e1e7
Merge pull request #171 from quantumpacket/patch-1
...
Remove Unnecessary Trailing Semicolon
2017-05-06 17:01:07 +02:00
780aceba92
Merge pull request #172 from quantumpacket/patch-2
...
Update ssl_ciphers To Latest Mozilla Intermediate
2017-05-06 16:59:17 +02:00
1648e2f0d4
Update ssl_ciphers To Latest Mozilla Intermediate
...
Updates to latest ciphers list for Mozilla Intermediate, which also adds support for ChaCha20 and Poly1305.
2017-01-08 12:18:04 -05:00
9c7e84f54f
Remove Unnecessary Trailing Semicolon
...
No need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/ ) for getting on the preload list to fail with an error about the semicolon.
2017-01-07 12:10:02 -05:00
fd84b1f429
Use Cache-Control max-age instead of Expires headers
...
Cache-Control max-age was introduced in HTTP/1.1 over ten years ago
and is preferred to Expires. This replaces all expiry dates with an
equivalent max-age in seconds.
See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
See: https://www.mnot.net/blog/2007/05/15/expires_max-age
2016-11-15 15:46:34 +02:00
b0c1406cf9
Remove references to Cache-Control public
...
A previous commit removed some, but missed these. Where a location
directive was using Expires to set a future expiry in conjunction
with Cache-Control public, I have replaced the time with an equal
max-age.
Furthermore, Google's web performance guide says that "public" is
implicit if there is a max-age specified.
See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-15 15:37:26 +02:00
cb3dc0554e
Merge pull request #148 from leonklingele/add-header-always
...
Always add security-relevant headers to the response, regardless of the response code (implements #147 )
2016-09-09 16:39:54 +02:00
294e08557c
Updated gzip_types and charset_types
...
… both are now using the same coding convention. Each type in its own row and `text/html` comment at the top (where all comments are placed).
2016-08-20 17:17:01 +02:00
9821896b9b
Added mime types for JPEG-XR, markdown, and CSV
...
JPEG-XR: http://www.iana.org/assignments/provisional-standard-media-types/provisional-standard-media-types.xhtml
Markdown: https://tools.ietf.org/html/rfc7763
CSV: https://tools.ietf.org/html/rfc7111
2016-07-31 17:31:53 -07:00
934eaf3f87
Always add security-relevant headers to the response, regardless of the response code (implements #147 )
...
From nginx' add_header documentation:
```
add_header Adds the specified field to a response header provided that
the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
```
At least for all security-relevant headers this should not be the case
and the header should always be added.
2016-07-07 13:29:58 +02:00
3f4719b79a
Merge pull request #145 from Cloudoki/gitignore-sites-enabled
...
ignore files in sites-enabled
2016-06-30 16:14:35 +02:00
fcc2657585
gitignore already tracked
2016-06-30 14:29:39 +01:00
Léo Colombaro