Commits · 45166e75aee1c367b1cad3d2be73ff9a8035c736 · Arch Linux / infrastructure · GitLab

Snippets Groups Projects

Due to an influx of spam, we have had to temporarily disable account registrations. Please write an email to accountsupport@archlinux.org, with your desired username, if you want to get access. Sorry for the inconvenience.

Aug 17, 2024

Fix missing HSTS header for some URLs due to nginx "directive inheritance"[1] · 4f872bae

Kristian Klausen authored 7 months ago

F5/nginx has blogged about this[1] and it is also mentioned in nginx's
documentation[2]:
"There could be several add_header directives. These directives are
inherited from the previous configuration level if and only if there are
no add_header directives defined on the current level. "

The problem occurs when add_header is used in a child context like a
server{} or location{} block. It is solved by moving the HSTS header
into a snippet, which is now included before all add_header lines.

For now the HSTS header is the only global header, but in the future we
may need to add more global headers, like the Alt-Svc header[3] for
HTTP/3.

[1] https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#directive-inheritance
[2] https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc

Fix #608

4f872bae

Jul 21, 2024

nginx: Set a resolver · 73f6d643

Jan Alexander Steffens (heftig) authored 8 months ago

This is required of OCSP stapling to work, or you get warnings when
NGINX starts up:

    no resolver defined to resolve e6.o.lencr.org while requesting certificate status

Let NGINX use the local systemd-resolved as its resolver.

Fixes: #607

73f6d643

Jul 20, 2024
- nginx: Update SSL settings to current guidelines · 98418998
  Jan Alexander Steffens (heftig) authored 8 months ago
  
  This reduces the session cache size and adds the `DHE-RSA-CHACHA20-POLY1305` cipher.
  98418998
Sep 05, 2019
- nginx: Modernize SSL settings · 9c57ddae
  Jan Alexander Steffens (heftig) authored 5 years ago
  
  Enables TLS 1.3.
  Verified
  
  9c57ddae
Jan 29, 2017

roles/nginx: Use a map to only include the STS header on https · bc1cffbd

Giancarlo Razzolini authored 8 years ago

One of the things missing from the preload submission was that we
included the STS header on http connections also. Using this:
https://trac.nginx.org/nginx/ticket/289#comment:3 we are able to
only include the STS header on https connections.

bc1cffbd

Jan 26, 2017

roles/nginx: Add preload to the STS header · 9beccb72

Giancarlo Razzolini authored 8 years ago

After some weeks since it was proposed the addition of archlinux.org
to the HSTS Preload list, since there were no objections, we are
introducing this change and in the coming hours will add archlinux.org
domain to the list.

9beccb72

Jan 09, 2017
- roles/nginx: Removed the extra semicolon. · e677394a
  Giancarlo Razzolini authored 8 years ago
  
  Verified
  
  e677394a
Sep 18, 2016

nginx: Switch to more widely supported ssl ciphers · d2805071

Florian Pritz authored 8 years ago

This is also the profile we use on our older boxes and apparently users
(see bug, also confirmed via IRC for setups using the settings in
ansible alreadt) are unable to access our sites.

https://bugs.archlinux.org/task/50771



Signed-off-by: Florian Pritz <bluewind@xinu.at>

d2805071

nginx: Update SSL settings · 45dae089

Florian Pritz authored 8 years ago


Include link to mozilla's config generator (looks like the settings
came from there) and update ssl_session_* settings to their current
recommendation.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

45dae089

Jun 20, 2016
- Add letsencrypt/certbot stuff · d7d4a083
  Sven-Hendrik Haase authored 8 years ago
  
  Verified
  
  d7d4a083