diff options
author | Rigel Kent <sendmemail@rigelk.eu> | 2020-03-03 11:40:45 +0100 |
---|---|---|
committer | Rigel Kent <sendmemail@rigelk.eu> | 2020-03-03 11:40:45 +0100 |
commit | 62df8cc1f0787e60e9c697c7d2499a641af2147f (patch) | |
tree | 52cf27be33bde014b5ef9fa4b286f4e3c43bb4dc /support | |
parent | 3729e048a9745cc5cd514c66f874f566e41415d4 (diff) | |
download | PeerTube-62df8cc1f0787e60e9c697c7d2499a641af2147f.tar.gz PeerTube-62df8cc1f0787e60e9c697c7d2499a641af2147f.tar.zst PeerTube-62df8cc1f0787e60e9c697c7d2499a641af2147f.zip |
Reword HSTS configuration to warn user of nginx's add_header shortcomings
Diffstat (limited to 'support')
-rw-r--r-- | support/nginx/peertube | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube index 50d3a919f..14e60ed7d 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube | |||
@@ -33,6 +33,8 @@ server { | |||
33 | ssl_session_tickets off; # Requires nginx >= 1.5.9 | 33 | ssl_session_tickets off; # Requires nginx >= 1.5.9 |
34 | ssl_stapling on; # Requires nginx >= 1.3.7 | 34 | ssl_stapling on; # Requires nginx >= 1.3.7 |
35 | ssl_stapling_verify on; # Requires nginx => 1.3.7 | 35 | ssl_stapling_verify on; # Requires nginx => 1.3.7 |
36 | # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives | ||
37 | #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; | ||
36 | 38 | ||
37 | # Configure with your resolvers | 39 | # Configure with your resolvers |
38 | # resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | 40 | # resolver $DNS-IP-1 $DNS-IP-2 valid=300s; |
@@ -49,12 +51,6 @@ server { | |||
49 | # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path | 51 | # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path |
50 | # client_body_temp_path /var/www/peertube/storage/nginx/; | 52 | # client_body_temp_path /var/www/peertube/storage/nginx/; |
51 | 53 | ||
52 | # Enable HSTS | ||
53 | # Tells browsers to stick with HTTPS and never visit the insecure HTTP | ||
54 | # version. Once a browser sees this header, it will only visit the site over | ||
55 | # HTTPS for the next 2 years: (read more on hstspreload.org) | ||
56 | #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; | ||
57 | |||
58 | access_log /var/log/nginx/peertube.example.com.access.log; | 54 | access_log /var/log/nginx/peertube.example.com.access.log; |
59 | error_log /var/log/nginx/peertube.example.com.error.log; | 55 | error_log /var/log/nginx/peertube.example.com.error.log; |
60 | 56 | ||