aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRenken <renken@shione.net>2024-07-30 01:20:35 +0200
committerRenken <renken@shione.net>2024-07-30 01:20:35 +0200
commit2f25948d3c2c090d1a394cb60629d40b89191d90 (patch)
treea64122ba56f02704ed3537939851161f003d4275
parent91b27fb97be9b1addf4dc21903000d0f2186ab9d (diff)
downloadshione-2f25948d3c2c090d1a394cb60629d40b89191d90.tar.gz
shione-2f25948d3c2c090d1a394cb60629d40b89191d90.zip
shione: nginx: follow mozilla ssl recommendation
-rw-r--r--config/shione/nginx/files/etc/nginx/sites-available/shione.net13
1 files changed, 13 insertions, 0 deletions
diff --git a/config/shione/nginx/files/etc/nginx/sites-available/shione.net b/config/shione/nginx/files/etc/nginx/sites-available/shione.net
index 361089f..28f7afe 100644
--- a/config/shione/nginx/files/etc/nginx/sites-available/shione.net
+++ b/config/shione/nginx/files/etc/nginx/sites-available/shione.net
@@ -25,6 +25,7 @@ server {
# SSL configuration
#
+ # Partially generated by https://ssl-config.mozilla.org/.
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#
@@ -44,6 +45,18 @@ server {
ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
+ # OCSP stapling
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ #
+ # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ # Prevent spam.
+ add_header X-Robots-Tag "noai, noimageai" always;
+
server_name shione.net www.shione.net;
location ~* \.(htaccess|htpasswd) {