summaryrefslogtreecommitdiffstats
path: root/roles/common-web
Commit message (Collapse)AuthorAgeFiles
* Roundcube: Port to Debian 10.Guilhem Moulin2020-05-171
| | | | | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1) for the elastic theme.
* common-web: Remove snippets/acme-challenge.conf.Guilhem Moulin2020-05-162
| | | | lacme now ships that file as /etc/lacme/nginx.conf.
* Nextcloud: use dedicated user and PHP FPM pool.Guilhem Moulin2020-05-161
| | | | | | There is a real security gain in not using the 'www-data' user: nginx workers can't read Nextcloud config files and data directory, so should our nginx configuration be insecure a leak is much less likely.
* role/common-web: Upgrade baseline to Debian 10.Guilhem Moulin2020-05-164
|
* Upgrade baseline to Debian Stretch.Guilhem Moulin2018-12-036
|
* nginx: set Referrer-Policy HTTP header to "no-referrer".Guilhem Moulin2016-12-131
|
* HSTS: use the standard capitalization of includeSubDomains.Guilhem Moulin2016-07-121
| | | | Cf. RFC 6797 sec. 6.1.2.
* Rename letsencrypt-tiny to lacme.Guilhem Moulin2016-06-151
|
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* nginx: update ssl_ciphers to follow Mozilla's TLS server recommendation.Guilhem Moulin2016-04-021
| | | | https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
* Set HTTP security headers.Guilhem Moulin2016-03-303
| | | | See https://securityheaders.io .
* Replace LE's X1 intermediate CA with X3 since the latter has better support ↵Guilhem Moulin2016-03-281
| | | | for XP.
* Fix Let's Encrypt CAfile.Guilhem Moulin2015-12-281
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-203
|
* nginx: Move include.d/* to snippets/.Guilhem Moulin2015-12-206
|
* nginx: s/conf.d/include.d/Guilhem Moulin2015-12-152
|
* ngnix: mv ssl/config conf.d/sslGuilhem Moulin2015-12-092
|
* Replace gitweb with cgit.Guilhem Moulin2015-09-211
|
* Add .asc to text/plain nginx MIME types.Guilhem Moulin2015-08-211
|
* typoGuilhem Moulin2015-06-071
|
* logjam mitigation.Guilhem Moulin2015-06-071
|
* Fix tab damage.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Follow Qualys's SSL labs recommendation for HTTPS.Guilhem Moulin2015-06-071
| | | | | (Disable SSLv3 and extend STS' max age to 180 days.) See https://www.ssllabs.com/ssltest/ .
* Common web configuration.Guilhem Moulin2015-06-076