diff options
author | Renken <renken@shione.net> | 2024-07-30 01:20:35 +0200 |
---|---|---|
committer | Renken <renken@shione.net> | 2024-07-30 01:20:35 +0200 |
commit | 2f25948d3c2c090d1a394cb60629d40b89191d90 (patch) | |
tree | a64122ba56f02704ed3537939851161f003d4275 | |
parent | 91b27fb97be9b1addf4dc21903000d0f2186ab9d (diff) | |
download | shione-2f25948d3c2c090d1a394cb60629d40b89191d90.tar.gz shione-2f25948d3c2c090d1a394cb60629d40b89191d90.zip |
shione: nginx: follow mozilla ssl recommendation
-rw-r--r-- | config/shione/nginx/files/etc/nginx/sites-available/shione.net | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/config/shione/nginx/files/etc/nginx/sites-available/shione.net b/config/shione/nginx/files/etc/nginx/sites-available/shione.net index 361089f..28f7afe 100644 --- a/config/shione/nginx/files/etc/nginx/sites-available/shione.net +++ b/config/shione/nginx/files/etc/nginx/sites-available/shione.net @@ -25,6 +25,7 @@ server { # SSL configuration # + # Partially generated by https://ssl-config.mozilla.org/. listen 443 ssl default_server; listen [::]:443 ssl default_server; # @@ -44,6 +45,18 @@ server { ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + # + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security. + add_header Strict-Transport-Security "max-age=63072000" always; + + # Prevent spam. + add_header X-Robots-Tag "noai, noimageai" always; + server_name shione.net www.shione.net; location ~* \.(htaccess|htpasswd) { |