summaryrefslogtreecommitdiffstats
path: root/roles/wiki/files/etc/nginx/sites-available/website
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-07-12 03:10:33 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-07-12 03:10:33 +0200
commitef430522256013665205cdda05636846cc622251 (patch)
tree0912b6175af9e97fa76aaf47613bd1926893dc67 /roles/wiki/files/etc/nginx/sites-available/website
parent4e347178a85468cb2a6451a3a57c3379f832ca97 (diff)
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles/wiki/files/etc/nginx/sites-available/website')
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/website6
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 10e127c..e79ff1f 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -31,9 +31,9 @@ server {
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action https://www.paypal.com/; base-uri fripost.org www.fripost.org";
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/www.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="fQ+gau72iwOf6rmXvY7/QemB+kYhixPCY/A/EIr3ats="; pin-sha256="MYhOgCyUOp8NRGxa1LZc57g0wREA3kV8C+4SsrDajt8="; max-age=15778800';
+ ssl_certificate ssl/www.fripost.org.pem;
+ ssl_certificate_key ssl/www.fripost.org.key;
+ include snippets/fripost.org.hpkp-hdr;
location / {
try_files $uri $uri/ =404;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 04:18:02 +0000