summaryrefslogtreecommitdiffstats
path: root/roles/lists/files/etc/nginx
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-07-12 03:10:33 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-07-12 03:10:33 +0200
commitef430522256013665205cdda05636846cc622251 (patch)
tree0912b6175af9e97fa76aaf47613bd1926893dc67 /roles/lists/files/etc/nginx
parent4e347178a85468cb2a6451a3a57c3379f832ca97 (diff)
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles/lists/files/etc/nginx')
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa6
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 732f09f..fbb3421 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -29,9 +29,9 @@ server {
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri lists.fripost.org";
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="OLx1hOEqnCdS/7ZgzTzAl8Ig/Cwpz5MY9J9Fishg6/0="; pin-sha256="v/Ow0Ou2m08HO10wxci1IVrMC/pbihnoDNxvUwKBsMY="; max-age=15778800';
+ ssl_certificate ssl/lists.fripost.org.pem;
+ ssl_certificate_key ssl/lists.fripost.org.key;
+ include snippets/lists.fripost.org.hpkp-hdr;
location = / {
return 302 /sympa$args;