Commit Graph

18 Commits

Author SHA1 Message Date
root 025b203b19 preload added to ssl.conf 2016-06-08 09:44:09 +02:00
Chris Chapman 09f500815c Fix capitalization of includeSubDomains 2016-06-04 12:22:43 -06:00
Alan Orth ec4e0303f4 Correct syntax for keepalive_timeout
It doesn't seem to be a fatal error, but the keepalive_timeout
value actually requires "s" (for seconds). Another occurence of
this was fixed in 35434b3361 but
these slipped through.

See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-14 10:25:01 +02:00
AD7six faabaad16b Update to mozilla's wiki's current intermediate set 2015-09-11 08:41:05 +00:00
Chris McKee a97cbecd12 Update Cipher list to latest add version of STS
Updated latest "intermediate" ciphers from mozilla
Add another version of the STS header including subdomains and comments
Add note at base to consider ssl-stapling
2014-10-28 21:20:37 +00:00
Andy Dawson 764c707262 Merge pull request #69 from mikealmond/ssl-updates
Updated SSL ciphers and added note about POODLE
2014-10-17 21:06:10 +02:00
Daniel Marquard 99cdb58475 HSTS off by default
Consensus to disable HSTS by default.
2014-10-16 05:40:48 -04:00
Mike Almond 4cd1367b43 Remove quotes from SSL cipher list 2014-10-15 13:47:33 -04:00
Mike Almond fe256f3be7 Add note about POODLE attack against SSLv3 2014-10-15 11:22:09 -04:00
Mike Almond 25cbfb8942 Update SSL ciphers to the updated defaults by Mozilla 2014-10-15 11:17:04 -04:00
Daniel Marquard 5525eebf2b Removed "includeSubDomains"
As a best practice, Nginx should only direct clients to use the certificate on specified domains. This is because not all servers using other subdomains necessarily listen on 443 and because, unless it is a wildcard certificate, it likely won't be valid on subdomains other than WWW.
2014-10-14 00:16:22 -04:00
AD7six 332998a2db use a much longer ssl_session_timeout
To match the settiongs from istlsfastyet.com

Add a mention of ssl_buffer_size even though it can 't be enabled yet
2014-07-28 14:56:27 +00:00
AD7six 72f9509a5e disable ssl_session_tickets
it's only recently added so is a config error otherwise
2014-07-28 14:42:35 +00:00
AD7six 759bf84163 Default to use HTTP strict transport security 2014-07-28 14:30:00 +00:00
AD7six 398036440b add increased ssl timeout 2014-07-28 14:29:04 +00:00
AD7six d996d2da0c turn off ssl session tickets
Stolen from istlsfastyet.com's config

It is probably a more logical default to turn off session tickets
given the diff linked in the comment block.
2014-07-28 14:20:58 +00:00
AD7six 08d4bbbd04 remove SSLv3 from the ssl protocol list
As suggested in #44, and since h5bp doesn't support IE6 it seems to be
appropriate to remove a protocol which is in the list only to permit use
with IE6.
2014-07-28 14:16:09 +00:00
AD7six 029ff47286 move ssl config to a seperate file 2014-07-28 14:08:19 +00:00