diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
commit | ef430522256013665205cdda05636846cc622251 (patch) | |
tree | 0912b6175af9e97fa76aaf47613bd1926893dc67 /roles/wiki/files/etc/nginx/sites-available/wiki | |
parent | 4e347178a85468cb2a6451a3a57c3379f832ca97 (diff) |
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But
never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles/wiki/files/etc/nginx/sites-available/wiki')
-rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/wiki | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index 39cd653..d2e13a5 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -30,9 +30,9 @@ server { "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri wiki.fripost.org"; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="fQ+gau72iwOf6rmXvY7/QemB+kYhixPCY/A/EIr3ats="; pin-sha256="MYhOgCyUOp8NRGxa1LZc57g0wREA3kV8C+4SsrDajt8="; max-age=15778800'; + ssl_certificate ssl/www.fripost.org.pem; + ssl_certificate_key ssl/www.fripost.org.key; + include snippets/fripost.org.hpkp-hdr; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } |