diff options
author | Rigel Kent <par@rigelk.eu> | 2018-02-14 11:11:49 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-02-14 11:11:49 +0100 |
commit | e883399fa6caa56bb8519c9a2e22d88001f26661 (patch) | |
tree | 2843fa320193ed86ae153cfbe7756ca4a979c804 /shared | |
parent | 1007a0185f5e3c1330a78f07d60f8dda9f5ddd15 (diff) | |
download | PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.gz PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.zst PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.zip |
Precisions and security enhancements to the production guide (#287)
- added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives).
- security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator.
All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure.
Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
Diffstat (limited to 'shared')
0 files changed, 0 insertions, 0 deletions