diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
commit | ef430522256013665205cdda05636846cc622251 (patch) | |
tree | 0912b6175af9e97fa76aaf47613bd1926893dc67 /roles/webmail/files/etc/nginx/sites-available | |
parent | 4e347178a85468cb2a6451a3a57c3379f832ca97 (diff) |
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But
never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles/webmail/files/etc/nginx/sites-available')
-rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 67851ae..c691d35 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -31,9 +31,9 @@ server { "default-src 'none'; child-src 'self'; frame-src 'self'; connect-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self'; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'self'; form-action 'self'; base-uri mail.fripost.org webmail.fripost.org"; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk="; pin-sha256="/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w="; max-age=15778800'; + ssl_certificate ssl/mail.fripost.org.pem; + ssl_certificate_key ssl/mail.fripost.org.key; + include snippets/mail.fripost.org.hpkp-hdr; location = /favicon.ico { root /usr/share/roundcube/skins/default/images; |