Commit Graph

357 Commits

Author SHA1 Message Date
Andy Dawson 780aceba92 Merge pull request #172 from quantumpacket/patch-2
Update ssl_ciphers To Latest Mozilla Intermediate
2017-05-06 16:59:17 +02:00
0ri0n 1648e2f0d4 Update ssl_ciphers To Latest Mozilla Intermediate
Updates to latest ciphers list for Mozilla Intermediate, which also adds support for ChaCha20 and Poly1305.
2017-01-08 12:18:04 -05:00
0ri0n 9c7e84f54f Remove Unnecessary Trailing Semicolon
No need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/) for getting on the preload list to fail with an error about the semicolon.
2017-01-07 12:10:02 -05:00
Alan Orth fd84b1f429
Use Cache-Control max-age instead of Expires headers
Cache-Control max-age was introduced in HTTP/1.1 over ten years ago
and is preferred to Expires. This replaces all expiry dates with an
equivalent max-age in seconds.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
See: https://www.mnot.net/blog/2007/05/15/expires_max-age
2016-11-15 15:46:34 +02:00
Alan Orth b0c1406cf9
Remove references to Cache-Control public
A previous commit removed some, but missed these. Where a location
directive was using Expires to set a future expiry in conjunction
with Cache-Control public, I have replaced the time with an equal
max-age.

Furthermore, Google's web performance guide says that "public" is
implicit if there is a max-age specified.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-15 15:37:26 +02:00
Andy Dawson cb3dc0554e Merge pull request #148 from leonklingele/add-header-always
Always add security-relevant headers to the response, regardless of the response code (implements #147)
2016-09-09 16:39:54 +02:00
Tobias Reich 294e08557c Updated gzip_types and charset_types
… both are now using the same coding convention. Each type in its own row and `text/html` comment at the top (where all comments are placed).
2016-08-20 17:17:01 +02:00
JoeArizona 9821896b9b Added mime types for JPEG-XR, markdown, and CSV
JPEG-XR: http://www.iana.org/assignments/provisional-standard-media-types/provisional-standard-media-types.xhtml
Markdown: https://tools.ietf.org/html/rfc7763
CSV: https://tools.ietf.org/html/rfc7111
2016-07-31 17:31:53 -07:00
Leon Klingele 934eaf3f87 Always add security-relevant headers to the response, regardless of the response code (implements #147)
From nginx' add_header documentation:
```
add_header Adds the specified field to a response header provided that
the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
```
At least for all security-relevant headers this should not be the case
and the header should always be added.
2016-07-07 13:29:58 +02:00
Andy Dawson 3f4719b79a Merge pull request #145 from Cloudoki/gitignore-sites-enabled
ignore files in sites-enabled
2016-06-30 16:14:35 +02:00
Edgar Ribeiro fcc2657585 gitignore already tracked 2016-06-30 14:29:39 +01:00
Andy Dawson 678951333a Merge pull request #146 from Cloudoki/typo
fix missing ;
2016-06-30 15:23:58 +02:00
Edgar Ribeiro 58e6af626e ignore files in sites-enabled 2016-06-30 13:37:50 +01:00
Edgar Ribeiro 60b272a2d3 fix missing ; 2016-06-30 13:32:40 +01:00
Andy Dawson 993b807c8e Merge pull request #144 from appleboy/patch-2
Fixed #143 issue: Fix typo
2016-06-27 12:25:46 +02:00
Bo-Yi Wu ebdb5f091e Fixed #143 issue: Fix typo 2016-06-19 16:32:17 +08:00
Pentago 046aaaee84 Removed SPDY support as we're using HTTP/2 now. Ref: df102c6 2016-06-13 20:31:13 +02:00
Andy Dawson 0bb5924b2a Whitespace 2016-06-08 10:06:48 +02:00
Andy Dawson f44d0305a0 Add a failing example 2016-06-08 10:06:16 +02:00
Andy Dawson 6b17b6025c Show a successful example 2016-06-08 10:04:15 +02:00
Andy Dawson bcdb8cd2bf Now irrelevant 2016-06-08 10:01:27 +02:00
Andy Dawson b8fdd45542 Remove access log for probably-not-static files
closes #131
2016-06-08 09:55:58 +02:00
Andy Dawson d84f80ac98 Remove cache-control public
Closes #134
2016-06-08 09:55:00 +02:00
root 025b203b19 preload added to ssl.conf 2016-06-08 09:44:09 +02:00
Andy Dawson 7a0e282dd0 Add an ssl no-default example
I.e. an example of this:

    -> curl -kI -H "Host: valid.com" https://localhost
    HTTP/1.1 200 OK
    ...
    -> curl -kI -H "Host: invalid.com" https://localhost
    curl: (52) Empty reply from server

Whether this works or not depends on SNI.
2016-06-08 09:36:39 +02:00
Andy Dawson 6be3c46535 Merge pull request #138 from Buzut/master
Updated ssl.exemple.com to use http2 instead of spdy
2016-06-08 09:29:16 +02:00
Andy Dawson ef96c5599f Merge pull request #140 from ebgranger/feature/fixing-getting-started-documentation
documentation inconsistent with file structure
2016-06-08 09:26:45 +02:00
Andy Dawson 4300d7d402 Merge pull request #139 from cdchapman/hsts-includeSubDomains
Fix capitalization of includeSubDomains
2016-06-08 09:25:33 +02:00
Edward Granger ea87f60b29 documentation inconsistent with file structure 2016-06-07 16:07:49 -04:00
Chris Chapman 09f500815c Fix capitalization of includeSubDomains 2016-06-04 12:22:43 -06:00
Buzut df102c6252 Updated ssl.exemple.com to use http2 instead of spdy
http2 is available in nginx since nginx 1.9.5. Therefor it's better to use the standard.
2016-05-25 15:02:34 +02:00
Andy Dawson 49aac21945 Merge pull request #133 from alanorth/keepalive-timeout-syntax
Correct syntax for keepalive_timeout
2016-03-24 18:00:01 +01:00
Andy Dawson daea8eb54b Merge pull request #129 from davisonio/specify-conf-defaults
Improve comments in nginx.conf
2016-03-24 17:59:35 +01:00
Craig Davison 73db8ccfd2 Fix typo 2016-03-22 15:27:19 +00:00
Craig Davison 605ec6f8c3 Improve comments in nginx.conf 2016-03-22 15:27:18 +00:00
Alan Orth ec4e0303f4 Correct syntax for keepalive_timeout
It doesn't seem to be a fatal error, but the keepalive_timeout
value actually requires "s" (for seconds). Another occurence of
this was fixed in 35434b3361 but
these slipped through.

See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-14 10:25:01 +02:00
Andy Dawson 66d0c463e0 Merge pull request #128 from corbanmailloux/patch-1
Single capitalization fix
2016-01-29 21:17:14 +01:00
Andy Dawson 029821b1a8 Merge pull request #130 from davisonio/specify-keepalive_timeout
Specify that keepalive_timeout is in seconds
2016-01-29 21:11:41 +01:00
Andy Dawson 740ba774f5 Merge pull request #124 from appleboy/patch-3
fix format.
2016-01-29 21:10:25 +01:00
Craig Davison 7c3a67131c Change default value in comment 2016-01-23 14:05:55 +00:00
Craig Davison 35434b3361 Specify that keepalive_timeout is in seconds 2016-01-23 13:59:22 +00:00
Corban Mailloux 1329a12ff3 Single capitalization fix 2016-01-22 15:05:01 -05:00
Bo-Yi Wu 3270937c3a fix format.
Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2015-12-04 22:25:31 +08:00
Andy Dawson 6e4b16c4cf Merge pull request #122 from beilharz/patch-1
Update nginx.conf: Typo in a comment
2015-12-03 11:51:05 +01:00
Andy Dawson 181de133f3 Merge pull request #123 from appleboy/patch-1
Add white space for comment.
2015-12-03 11:50:35 +01:00
Bo-Yi Wu d5b5bf9e18 Add white space for comment. 2015-12-01 10:38:42 +08:00
beilharz 5934741e15 Update nginx.conf
Typo: sites-available should be sites-enabled
2015-11-25 09:49:15 +01:00
Andy Dawson 82181a672a Merge pull request #119 from Francisc/patch-1
Minor typo fix
2015-11-16 09:23:02 +01:00
Francisc Romano d554c7c582 Miiiiiiiiiiiiiinor typo fix 2015-11-02 14:03:25 +02:00
Andy Dawson 94b3680c9d Merge pull request #105 from Cryszon/patch-1
Updated locations to match h5bp's Apache config
2015-09-11 10:55:01 +02:00