fripost-ansible/roles/common-web/files/etc/nginx/snippets, branch master Fripost ansible scripts Nginx: Drop OCSP stapling directives. 2025-08-06T11:51:50+00:00 Guilhem Moulin guilhem@fripost.org 2025-08-06T11:51:50+00:00 983981b8546d9ef847cfef7711c35c6e06549f43 Let's Encrypt removed OCSP URLs from certificates on 2025-05-07, see https://letsencrypt.org/2024/12/05/ending-ocsp . 
Let's Encrypt removed OCSP URLs from certificates on 2025-05-07, see
https://letsencrypt.org/2024/12/05/ending-ocsp .
nginx: Update trusted certificate used for OCSP stapling. 2020-12-05T14:52:10+00:00 Guilhem Moulin guilhem@fripost.org 2020-12-05T14:50:33+00:00 07218fc1e6caf4299dd453744d6e9e53854f75ab See https://bugs.debian.org/975862 . 
See https://bugs.debian.org/975862 .
common-web: Remove snippets/acme-challenge.conf. 2020-05-16T21:53:35+00:00 Guilhem Moulin guilhem@fripost.org 2020-05-16T21:49:20+00:00 2d30ef24b25d145b0fa827b7b458583996a04760 lacme now ships that file as /etc/lacme/nginx.conf. 
lacme now ships that file as /etc/lacme/nginx.conf.
Nextcloud: use dedicated user and PHP FPM pool. 2020-05-15T23:30:44+00:00 Guilhem Moulin guilhem@fripost.org 2020-05-15T22:52:10+00:00 e43ef0c7b9490ece68af38f8a658ad8a710e4e37 There is a real security gain in not using the 'www-data' user: nginx workers can't read Nextcloud config files and data directory, so should our nginx configuration be insecure a leak is much less likely. 
There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely.
role/common-web: Upgrade baseline to Debian 10. 2020-05-15T22:51:30+00:00 Guilhem Moulin guilhem@fripost.org 2020-05-15T22:51:30+00:00 e250173c23a9c192dc18ba34115f94816846ccf3 






Upgrade baseline to Debian Stretch.
2018-12-03T02:43:36+00:00

Guilhem Moulin
guilhem@fripost.org

2018-12-03T02:04:22+00:00

2495327985da791891b579bd05b3cda1f41dfda7












nginx: set Referrer-Policy HTTP header to "no-referrer".
2016-12-13T19:36:38+00:00

Guilhem Moulin
guilhem@fripost.org

2016-12-13T19:36:38+00:00

63b76b4deee43d586ee741415d03f5962e5fafc8












HSTS: use the standard capitalization of includeSubDomains.
2016-07-12T15:27:24+00:00

Guilhem Moulin
guilhem@fripost.org

2016-07-12T15:27:24+00:00

e8cdae5ccc1aba3dc1e9991cce2942fdf93cabcb

Cf. RFC 6797 sec. 6.1.2.





Cf. RFC 6797 sec. 6.1.2.







Rename letsencrypt-tiny to lacme.
2016-06-15T16:00:57+00:00

Guilhem Moulin
guilhem@fripost.org

2016-06-15T16:00:57+00:00

97e78349145156ca6565ee5b2af54983a6fdd3a6












Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.
2016-05-18T15:55:44+00:00

Guilhem Moulin
guilhem@fripost.org

2016-05-18T15:55:40+00:00

cda53ea254de51eb46cb0f53f7d33b9a0f794bfc

Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.

    https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014

But we postpone that for now until we are reasonably certain that older
client won't be left out.





Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.

    https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014

But we postpone that for now until we are reasonably certain that older
client won't be left out.