Léo Colombaro
b935688c2b
Fix external links
2018-11-23 14:45:12 +01:00
Léo Colombaro
e38617e7fb
Switch to `https` when possible
2018-11-23 13:15:44 +01:00
Matt Rubin
135d093a75
Replace location block `add_header` directives with `expires` directives
...
Fixes https://github.com/h5bp/server-configs-nginx/issues/193
2018-11-23 11:38:22 +01:00
Andy Dawson
ba73ae2f89
Merge pull request #142 from pentago/spdy-off
...
Removed SPDY support as we're using HTTP/2 now.
2017-05-06 17:51:38 +02:00
Andy Dawson
34c2114527
Don't need that expires
2017-05-06 17:49:43 +02:00
Matthew Miller
d2f4e5c68f
Remove cache-control public and better handle svgz files
...
Fixes : #86
Fixes : #134
2017-05-06 17:48:07 +02:00
Andy Dawson
1cc4b14e51
Merge pull request #168 from alanorth/cache-control-public
...
Use Cache-Control instead of Expires
2017-05-06 17:39:38 +02:00
Andy Dawson
391375e1e7
Merge pull request #171 from quantumpacket/patch-1
...
Remove Unnecessary Trailing Semicolon
2017-05-06 17:01:07 +02:00
0ri0n
1648e2f0d4
Update ssl_ciphers To Latest Mozilla Intermediate
...
Updates to latest ciphers list for Mozilla Intermediate, which also adds support for ChaCha20 and Poly1305.
2017-01-08 12:18:04 -05:00
0ri0n
9c7e84f54f
Remove Unnecessary Trailing Semicolon
...
No need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/ ) for getting on the preload list to fail with an error about the semicolon.
2017-01-07 12:10:02 -05:00
Alan Orth
fd84b1f429
Use Cache-Control max-age instead of Expires headers
...
Cache-Control max-age was introduced in HTTP/1.1 over ten years ago
and is preferred to Expires. This replaces all expiry dates with an
equivalent max-age in seconds.
See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
See: https://www.mnot.net/blog/2007/05/15/expires_max-age
2016-11-15 15:46:34 +02:00
Alan Orth
b0c1406cf9
Remove references to Cache-Control public
...
A previous commit removed some, but missed these. Where a location
directive was using Expires to set a future expiry in conjunction
with Cache-Control public, I have replaced the time with an equal
max-age.
Furthermore, Google's web performance guide says that "public" is
implicit if there is a max-age specified.
See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-15 15:37:26 +02:00
Leon Klingele
934eaf3f87
Always add security-relevant headers to the response, regardless of the response code (implements #147 )
...
From nginx' add_header documentation:
```
add_header Adds the specified field to a response header provided that
the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
```
At least for all security-relevant headers this should not be the case
and the header should always be added.
2016-07-07 13:29:58 +02:00
Pentago
046aaaee84
Removed SPDY support as we're using HTTP/2 now. Ref: df102c6
2016-06-13 20:31:13 +02:00
Andy Dawson
b8fdd45542
Remove access log for probably-not-static files
...
closes #131
2016-06-08 09:55:58 +02:00
Andy Dawson
d84f80ac98
Remove cache-control public
...
Closes #134
2016-06-08 09:55:00 +02:00
root
025b203b19
preload added to ssl.conf
2016-06-08 09:44:09 +02:00
Chris Chapman
09f500815c
Fix capitalization of includeSubDomains
2016-06-04 12:22:43 -06:00
Alan Orth
ec4e0303f4
Correct syntax for keepalive_timeout
...
It doesn't seem to be a fatal error, but the keepalive_timeout
value actually requires "s" (for seconds). Another occurence of
this was fixed in 35434b3361
but
these slipped through.
See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-14 10:25:01 +02:00
Bo-Yi Wu
3270937c3a
fix format.
...
Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2015-12-04 22:25:31 +08:00
Andy Dawson
94b3680c9d
Merge pull request #105 from Cryszon/patch-1
...
Updated locations to match h5bp's Apache config
2015-09-11 10:55:01 +02:00
AD7six
faabaad16b
Update to mozilla's wiki's current intermediate set
2015-09-11 08:41:05 +00:00
Kimmo Salmela
d37a4c7165
Updated locations to match h5bp's Apache config
...
See https://github.com/h5bp/server-configs-apache/issues/31 for `well-known` change.
2015-06-08 15:56:19 +03:00
Andy Dawson
fce0e368c1
Don't use invalid examples
...
A wildcard subdomain isn't valid syntax for a ACAO header
2015-05-29 15:32:23 +02:00
Joey Geiger
1089839e54
Fix typo in `expires.conf`
...
Close h5bp/server-configs-nginx#82 .
2014-11-17 20:31:24 +02:00
Andy Dawson
228c5ccca0
Merge pull request #78 from ChrisMcKee/patch-4
...
Extra security headers without a home
2014-10-30 16:02:01 +01:00
Chris McKee
cb0ca2934c
Update extra-security.conf
2014-10-30 09:59:06 +00:00
Andy Dawson
67a259a471
Merge pull request #77 from ChrisMcKee/patch-3
...
Change note / add missing header
2014-10-29 20:03:19 +01:00
Andy Dawson
85018fa236
avoid long lines
2014-10-29 19:47:17 +01:00
Andy Dawson
62ef8ddbcc
Merge pull request #75 from ChrisMcKee/patch-1
...
add secondary google dns ip and 2 failover DYN DNS public dns ips, and t...
2014-10-29 19:46:29 +01:00
Chris McKee
a3cf3aab00
Extra security headers without a home
2014-10-28 21:28:03 +00:00
Chris McKee
a4b121a2e7
Change note / add missing header
2014-10-28 21:22:27 +00:00
Chris McKee
a97cbecd12
Update Cipher list to latest add version of STS
...
Updated latest "intermediate" ciphers from mozilla
Add another version of the STS header including subdomains and comments
Add note at base to consider ssl-stapling
2014-10-28 21:20:37 +00:00
Chris McKee
6121b47151
add secondary google dns ip and 2 failover DYN DNS public dns ips, and timeouts
2014-10-28 21:09:57 +00:00
Cătălin Mariș
c7a2d3b476
Add info on ngx_pagespeed & content transformation
...
Provide information about `ngx_pagespeed` not rewriting any / some
of the resources if the `Cache-Control: no-transform` response header
is set.
Ref: https://developers.google.com/speed/pagespeed/module/configuration#notransform
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Thanks to @Nikita-S-Doroshenko for pointing this out!
Ref: h5bp/server-configs-apache#46
2014-10-23 14:08:00 +03:00
Andy Dawson
764c707262
Merge pull request #69 from mikealmond/ssl-updates
...
Updated SSL ciphers and added note about POODLE
2014-10-17 21:06:10 +02:00
Daniel Marquard
99cdb58475
HSTS off by default
...
Consensus to disable HSTS by default.
2014-10-16 05:40:48 -04:00
Mike Almond
4cd1367b43
Remove quotes from SSL cipher list
2014-10-15 13:47:33 -04:00
Mike Almond
fe256f3be7
Add note about POODLE attack against SSLv3
2014-10-15 11:22:09 -04:00
Mike Almond
25cbfb8942
Update SSL ciphers to the updated defaults by Mozilla
2014-10-15 11:17:04 -04:00
Daniel Marquard
5525eebf2b
Removed "includeSubDomains"
...
As a best practice, Nginx should only direct clients to use the certificate on specified domains. This is because not all servers using other subdomains necessarily listen on 443 and because, unless it is a wildcard certificate, it likely won't be valid on subdomains other than WWW.
2014-10-14 00:16:22 -04:00
Przemek Matylla
f9b58cd883
Add configs for WOFF 2.0 font files (`.woff2`)
...
Ref: http://www.w3.org/TR/WOFF2/
h5bp/server-configs-apache#32
Close : h5bp/server-configs-nginx#54
2014-09-03 15:31:25 +03:00
Matthew Haughton
b75cbfdafe
Remove Chrome Frame related comment
...
Fix h5bp/server-configs-nginx#30
Close h5bp/server-configs-nginx#62
2014-09-03 15:16:05 +03:00
AD7six
332998a2db
use a much longer ssl_session_timeout
...
To match the settiongs from istlsfastyet.com
Add a mention of ssl_buffer_size even though it can 't be enabled yet
2014-07-28 14:56:27 +00:00
AD7six
72f9509a5e
disable ssl_session_tickets
...
it's only recently added so is a config error otherwise
2014-07-28 14:42:35 +00:00
AD7six
7295a765ee
add stubs for ssl-stapling and spdy
2014-07-28 14:38:22 +00:00
AD7six
759bf84163
Default to use HTTP strict transport security
2014-07-28 14:30:00 +00:00
AD7six
398036440b
add increased ssl timeout
2014-07-28 14:29:04 +00:00
AD7six
d996d2da0c
turn off ssl session tickets
...
Stolen from istlsfastyet.com's config
It is probably a more logical default to turn off session tickets
given the diff linked in the comment block.
2014-07-28 14:20:58 +00:00
AD7six
08d4bbbd04
remove SSLv3 from the ssl protocol list
...
As suggested in #44 , and since h5bp doesn't support IE6 it seems to be
appropriate to remove a protocol which is in the list only to permit use
with IE6.
2014-07-28 14:16:09 +00:00