Léo Colombaro
8db768bd61
Pre-compressed content usage config files
...
Closes #231
2019-05-16 22:57:57 +02:00
Léo Colombaro
d7fc6c362d
Fix rebase artifacts
2019-05-16 00:16:59 +02:00
Pete Cooper
67c54c53f1
Documentation formatting and reviewing ( #232 )
...
No code changes, some config reordering
2019-05-15 23:20:10 +02:00
Léo Colombaro
c73d1efb60
Fix 304 responses Cache-control override
...
Fix #230
2019-05-15 21:07:50 +02:00
Léo Colombaro
7418b5023b
Fix dropped Cache-Control: no-transform usage for SVGZ Compression
2019-05-15 19:02:13 +02:00
Léo Colombaro
0a6c880be0
Improve wording and file headers
2019-05-15 18:26:04 +02:00
Léo Colombaro
282d979af4
Drop Cache-Control: no-transform usage
...
Obsoleted with secure servers
See https://github.com/h5bp/server-configs-apache/issues/185
2019-05-15 18:24:30 +02:00
Pete Cooper
28874c33f0
Add Google Public DNS IPv6 and Cloudflare DNS IP addresses to `resolver` ( #229 )
...
Co-authored-by: Léo Colombaro <git@colombaro.fr>
2019-05-15 02:07:47 +02:00
Pete Cooper
e30032165c
Fix misc typos in comments ( #228 )
2019-05-14 19:02:21 +02:00
Léo Colombaro
276af8da7b
Improve default Content-Security-Policy value ( #224 )
...
See https://github.com/h5bp/server-configs-apache/pull/181
2019-03-26 12:41:15 +01:00
Léo Colombaro
d186781282
Update `ngx_pagespeed` docs link
2019-03-24 22:21:07 +01:00
Léo Colombaro
29ff09ac95
Remove CSP from basic.conf includes
...
Too strong for general purposes.
Closes #222
2019-03-15 18:58:47 +01:00
Léo Colombaro
cec616a103
SVGZ files are already compressed
...
Disable gzip function for them
Regression d2f4e5c68f
2019-03-09 15:08:44 +01:00
Léo Colombaro
3b0c4c41df
Fix regexp expressions in mime-types maps
2019-03-09 13:45:33 +01:00
Léo Colombaro
06e5fc8445
Remove extra match-any regexp
2019-03-09 02:41:29 +01:00
Mark Woon
d65cd97761
Use regexp in MIME-types based maps ( #221 )
...
Fix #220
Co-authored-by: Léo Colombaro <git@colombaro.fr>
2019-03-09 02:34:15 +01:00
Léo Colombaro
50a6d793ce
Remove duplicated .conf in include
2019-02-13 14:45:52 +01:00
Léo Colombaro
f600128203
Add Referrer-Policy for html document by default
2019-02-13 14:31:53 +01:00
Léo Colombaro
51f5ffab82
Clean up and prepare docs for v3
2019-02-12 12:25:30 +01:00
Léo Colombaro
283b292c5e
Add default recommended headers
...
Since no more location directive is used, making these header
available everywhere is possible without breaking servers.
2019-02-10 22:20:05 +01:00
Léo Colombaro
a4c9e2da8e
Better default certificates folder
...
Mapped as Docker Nginx image
2019-02-10 22:13:25 +01:00
Léo Colombaro
6dd4cc27ed
Switch from location directives to maps based on MIME-types
...
* Expire
* X-XSS-Protection
* X-Frame-Options
* X-UA-Compatible
* Content-Security-Policy
* Access-Control-Allow-Origin
2019-02-10 21:56:10 +01:00
Léo Colombaro
2d135053cb
Move MIME-type and charset declaration into their own conf files
2019-02-10 20:40:50 +01:00
Léo Colombaro
452b630330
Update gzipped MIME-type following web standard
...
Source https://github.com/jshttp/mime-db
2019-02-10 20:38:23 +01:00
Léo Colombaro
e21aec5822
Block access to file #.*#
...
Used to contain sensitive data
2019-02-10 20:36:26 +01:00
Léo Colombaro
d2531ac605
Rotate ssl policies to modernize protocols recommendations
...
Closes #210
2019-02-01 16:13:22 +01:00
Ewout van Mansom
eeeebd0da6
Add new TLS policy 'future' ( #211 )
...
This new TLS policy embraces the best security practices and performance characteristics by sacrificing compatibility with older clients.
2018-12-02 18:40:25 +01:00
Léo Colombaro
df4be14a73
Improve cache-file-descriptors.conf doc
...
Closes #203
2018-12-02 17:23:44 +01:00
Ewout van Mansom
df23e0ba8c
Add DH parameters note to policy_intermediate.conf ( #212 )
...
For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
2018-12-02 17:05:11 +01:00
Léo Colombaro
86d8ed33ca
Improve SSL directives declarations, order and descriptions
2018-12-02 12:57:01 +01:00
Ewout van Mansom
5a2f750c53
Add note explaining secure eleptic curve situation for modern TLS profile preset ( #209 )
2018-11-30 12:12:02 +01:00
a22375
5f3ce4f73c
Add back web_performance_cache_expiration ( #206 )
...
remove double include h5bp/location/security_file_access.conf;
2018-11-30 11:40:33 +01:00
Ewout van Mansom
8141562756
Add eleptic curves for intermediate profile preset
...
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf , https://safecurves.cr.yp.to/ ).
Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 11:38:25 +01:00
Ewout van Mansom
9b369d23a5
Add eleptic curves for modern profile preset
...
prime256v1 (NIST P-256), secp384r1 (NIST P-384) and secp521r1 (NIST P-521) have been deemed insecure as per Daniel J. Bernstein's research (https://cr.yp.to/newelliptic/nistecc-20160106.pdf , https://safecurves.cr.yp.to/ ).
Despite that, the adoption of X25519 is too slim. Limiting to that curve would mean dropping compatibility with Safari, Edge and Internet Explorer.
2018-11-30 10:21:38 +01:00
Léo Colombaro
959839d81f
Add a modern profile for SSL policy
...
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites)
You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle).
The same, non PFS cipher suite is not at all recommended (see heartbleed effect).
DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite.
3DES is deprecated and suffer from [sweet32](sweet32.info)
So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite.
Fix #201
Fix #183
Fix #190
Prepare #180
Co-authored-by: aeris <aeris@users.noreply.github.com>
2018-11-29 10:39:33 +01:00
Léo Colombaro
10fc3a39a6
Split SSL config
...
Prepare #180
2018-11-29 10:39:33 +01:00
Léo Colombaro
1b2b4eb276
Merge #202
2018-11-27 21:43:18 +01:00
Léo Colombaro
3071e67d04
Tweaks and lint
2018-11-25 22:07:01 +01:00
Léo Colombaro
496af1cfd5
Split directives to enforce atomic structure
...
* Enforce H5BP style
* Improve inline documentation to simplify maintenance
* Prepare v3
2018-11-23 17:19:51 +01:00
Léo Colombaro
b935688c2b
Fix external links
2018-11-23 14:45:12 +01:00
Léo Colombaro
e38617e7fb
Switch to `https` when possible
2018-11-23 13:15:44 +01:00
Matt Rubin
135d093a75
Replace location block `add_header` directives with `expires` directives
...
Fixes https://github.com/h5bp/server-configs-nginx/issues/193
2018-11-23 11:38:22 +01:00
Chris McKnight
006d7be396
fix(cache-busting): Support hashed asset names
2018-08-07 17:00:16 -05:00
Andy Dawson
ba73ae2f89
Merge pull request #142 from pentago/spdy-off
...
Removed SPDY support as we're using HTTP/2 now.
2017-05-06 17:51:38 +02:00
Andy Dawson
34c2114527
Don't need that expires
2017-05-06 17:49:43 +02:00
Matthew Miller
d2f4e5c68f
Remove cache-control public and better handle svgz files
...
Fixes : #86
Fixes : #134
2017-05-06 17:48:07 +02:00
Andy Dawson
1cc4b14e51
Merge pull request #168 from alanorth/cache-control-public
...
Use Cache-Control instead of Expires
2017-05-06 17:39:38 +02:00
Andy Dawson
391375e1e7
Merge pull request #171 from quantumpacket/patch-1
...
Remove Unnecessary Trailing Semicolon
2017-05-06 17:01:07 +02:00
0ri0n
1648e2f0d4
Update ssl_ciphers To Latest Mozilla Intermediate
...
Updates to latest ciphers list for Mozilla Intermediate, which also adds support for ChaCha20 and Poly1305.
2017-01-08 12:18:04 -05:00
0ri0n
9c7e84f54f
Remove Unnecessary Trailing Semicolon
...
No need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/ ) for getting on the preload list to fail with an error about the semicolon.
2017-01-07 12:10:02 -05:00