Commit Graph

112 Commits

Author SHA1 Message Date
Léo Colombaro a9aea7038c Add mime-type `image/avif` and `image/avifs` 2021-01-05 10:49:47 +01:00
franz-josef-kaiser d7f6fa09d3 docs: Correct reference to weaker policy in doc block. 2020-12-30 00:09:53 +01:00
Pete Cooper 654f1aa49c minor presentational fixes 2020-12-29 20:55:50 +01:00
Léo Colombaro f0b3fd25ce
Improve writing
[ci skip]
2020-12-29 18:22:16 +01:00
Léo Colombaro abcf858614 Assorted grammar and link fixes 2020-04-14 11:54:27 +02:00
Léo Colombaro 98de990c1c Add expandable policies to SVGZ 2020-04-13 14:44:29 +02:00
Vincent Herbet d2f597235a Do no use non-ASCII characters in loaded configs
I had an issue with Certbot (let's encrypt) which failed to reload nginx due to a non-ASCII character in a loaded config file.
E.g.: `Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: 'ascii' codec can't decode byte 0xe2 in position 762: ordinal not in range(128). Skipping.`

I found this character using `grep -r -P '[^\x00-\x7f]' /etc/nginx`.
2020-02-05 18:33:14 +01:00
Léo Colombaro 28cb47df42
Rename no-transform.conf file to content_transformation.conf
Align with other files and with Apache struct
2020-01-04 18:06:00 +01:00
Léo Colombaro e0724b8149
Stricter default for Referrer Policy
Ref: https://github.com/h5bp/server-configs-apache/pull/204
2020-01-03 19:36:51 +01:00
Léo Colombaro 177a5e94a6
Improve HSTS documentation
Ref: https://github.com/h5bp/server-configs-apache/pull/196
2020-01-03 19:34:40 +01:00
minusf 7a44fdf69f Add `font/ttf` & `font/eot` to compressible mime-types list (#242)
Ref:
* jshttp/mime-db#169
* developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/webfont-optimization#reducing_font_size_with_compression
2019-10-25 10:59:10 +01:00
Rahil 0af305283f Fixed description for SSL session cache & timeout (#237) 2019-09-08 00:46:31 +02:00
Jogendra Kumar 6d1a9d46e6 Additional compression method added for gzip (#236) 2019-08-12 21:21:20 +02:00
Pete Cooper a1a746a347 Switch tertiary DNS used for OCSP checking to OpenDNS (#235)
Oracle is shutting down Dyn DNS in 2020.
2019-06-26 00:12:26 +02:00
Léo Colombaro bc39e4c07d
Revert "Drop Cache-Control: no-transform usage"
This partially reverts commit 282d979a

Ref https://github.com/h5bp/server-configs-apache/issues/185
2019-06-06 00:46:47 +02:00
Léo Colombaro 8db768bd61
Pre-compressed content usage config files
Closes #231
2019-05-16 22:57:57 +02:00
Léo Colombaro d7fc6c362d
Fix rebase artifacts 2019-05-16 00:16:59 +02:00
Pete Cooper 67c54c53f1
Documentation formatting and reviewing (#232)
No code changes, some config reordering
2019-05-15 23:20:10 +02:00
Léo Colombaro c73d1efb60
Fix 304 responses Cache-control override
Fix #230
2019-05-15 21:07:50 +02:00
Léo Colombaro 7418b5023b
Fix dropped Cache-Control: no-transform usage for SVGZ Compression 2019-05-15 19:02:13 +02:00
Léo Colombaro 0a6c880be0
Improve wording and file headers 2019-05-15 18:26:04 +02:00
Léo Colombaro 282d979af4
Drop Cache-Control: no-transform usage
Obsoleted with secure servers

See https://github.com/h5bp/server-configs-apache/issues/185
2019-05-15 18:24:30 +02:00
Pete Cooper 28874c33f0 Add Google Public DNS IPv6 and Cloudflare DNS IP addresses to `resolver` (#229)
Co-authored-by: Léo Colombaro <git@colombaro.fr>
2019-05-15 02:07:47 +02:00
Pete Cooper e30032165c Fix misc typos in comments (#228) 2019-05-14 19:02:21 +02:00
Léo Colombaro 276af8da7b
Improve default Content-Security-Policy value (#224)
See https://github.com/h5bp/server-configs-apache/pull/181
2019-03-26 12:41:15 +01:00
Léo Colombaro d186781282
Update `ngx_pagespeed` docs link 2019-03-24 22:21:07 +01:00
Léo Colombaro 29ff09ac95
Remove CSP from basic.conf includes
Too strong for general purposes.

Closes #222
2019-03-15 18:58:47 +01:00
Léo Colombaro cec616a103
SVGZ files are already compressed
Disable gzip function for them
Regression d2f4e5c68f
2019-03-09 15:08:44 +01:00
Léo Colombaro 3b0c4c41df
Fix regexp expressions in mime-types maps 2019-03-09 13:45:33 +01:00
Léo Colombaro 06e5fc8445
Remove extra match-any regexp 2019-03-09 02:41:29 +01:00
Mark Woon d65cd97761 Use regexp in MIME-types based maps (#221)
Fix #220

Co-authored-by: Léo Colombaro <git@colombaro.fr>
2019-03-09 02:34:15 +01:00
Léo Colombaro 50a6d793ce
Remove duplicated .conf in include 2019-02-13 14:45:52 +01:00
Léo Colombaro f600128203
Add Referrer-Policy for html document by default 2019-02-13 14:31:53 +01:00
Léo Colombaro 51f5ffab82
Clean up and prepare docs for v3 2019-02-12 12:25:30 +01:00
Léo Colombaro 283b292c5e
Add default recommended headers
Since no more location directive is used, making these header
available everywhere is possible without breaking servers.
2019-02-10 22:20:05 +01:00
Léo Colombaro a4c9e2da8e
Better default certificates folder
Mapped as Docker Nginx image
2019-02-10 22:13:25 +01:00
Léo Colombaro 6dd4cc27ed Switch from location directives to maps based on MIME-types
* Expire
* X-XSS-Protection
* X-Frame-Options
* X-UA-Compatible
* Content-Security-Policy
* Access-Control-Allow-Origin
2019-02-10 21:56:10 +01:00
Léo Colombaro 2d135053cb
Move MIME-type and charset declaration into their own conf files 2019-02-10 20:40:50 +01:00
Léo Colombaro 452b630330
Update gzipped MIME-type following web standard
Source https://github.com/jshttp/mime-db
2019-02-10 20:38:23 +01:00
Léo Colombaro e21aec5822
Block access to file #.*#
Used to contain sensitive data
2019-02-10 20:36:26 +01:00
Léo Colombaro d2531ac605 Rotate ssl policies to modernize protocols recommendations
Closes #210
2019-02-01 16:13:22 +01:00
Ewout van Mansom eeeebd0da6 Add new TLS policy 'future' (#211)
This new TLS policy embraces the best security practices and performance characteristics by sacrificing compatibility with older clients.
2018-12-02 18:40:25 +01:00
Léo Colombaro df4be14a73
Improve cache-file-descriptors.conf doc
Closes #203
2018-12-02 17:23:44 +01:00
Ewout van Mansom df23e0ba8c Add DH parameters note to policy_intermediate.conf (#212)
For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
2018-12-02 17:05:11 +01:00
Léo Colombaro 86d8ed33ca
Improve SSL directives declarations, order and descriptions 2018-12-02 12:57:01 +01:00
Ewout van Mansom 5a2f750c53 Add note explaining secure eleptic curve situation for modern TLS profile preset (#209) 2018-11-30 12:12:02 +01:00
a22375 5f3ce4f73c Add back web_performance_cache_expiration (#206)
remove double include h5bp/location/security_file_access.conf;
2018-11-30 11:40:33 +01:00
Ewout van Mansom 8141562756 Add eleptic curves for intermediate profile preset
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf, https://safecurves.cr.yp.to/).

Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 11:38:25 +01:00
Ewout van Mansom 9b369d23a5 Add eleptic curves for modern profile preset
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf, https://safecurves.cr.yp.to/).

Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 10:21:38 +01:00
Léo Colombaro 959839d81f Add a modern profile for SSL policy
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).

The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)

So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.

Fix #201
Fix #183
Fix #190
Prepare #180

Co-authored-by: aeris <aeris@users.noreply.github.com>
2018-11-29 10:39:33 +01:00