mtigas · March 20, 2025 14:14 · Jul 28, 2014 · Jul 28, 2014 · Jul 28, 2014 · Jul 28, 2014
diff --git a/nginx.conf b/nginx.conf
@@ -90,6 +90,7 @@ http {
 		# after "kEDH+AES128".
 		###################
 		ssl_ciphers 'kEECDH+ECDSA+AESGCM kEECDH+AESGCM kEECDH+ECDSA+AES256 kEECDH+ECDSA+AES128 kEECDH+AES256 kEECDH+AES128 kEDH+AESGCM kEDH+AES256 kEDH+AES128 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+		ssl_prefer_server_ciphers on;
 
 		root /home/ubuntu/html; # TODO
 		index index.html index.htm;

diff --git a/nginx.conf b/nginx.conf
@@ -81,8 +81,8 @@ http {
 		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
 		###################
-		# List of 19 ciphersuites, in descending security order preference:
-		# 12 TLS 1.2 suites, 4 fallbacks with PFS, 3 fallbacks for compatibility.
+		# List of 18 or 19 ciphersuites, in descending security order preference:
+		# 12 TLS 1.2 suites, 4 fallbacks with PFS, 3-4 fallbacks for compatibility.
 		#
 		# Expanded list: https://gist.github.com/mtigas/8591092/raw/gistfile1.txt
 		#

diff --git a/nginx.conf b/nginx.conf
@@ -82,15 +82,14 @@ http {
 
 		###################
 		# List of 19 ciphersuites, in descending security order preference:
-    # 12 TLS 1.2 suites, 4 fallbacks with PFS, 4 fallbacks for compatibility.
+		# 12 TLS 1.2 suites, 4 fallbacks with PFS, 3 fallbacks for compatibility.
 		#
 		# Expanded list: https://gist.github.com/mtigas/8591092/raw/gistfile1.txt
 		#
-		# If you don't need to support IE WinXP (or older) clients you can remove
-		# DES-CBC3-SHA so that the only suites supported have perfect forward secrecy.
+		# If you need to support IE WinXP (or older) clients, add "DES-CBC3-SHA"
+		# after "kEDH+AES128".
 		###################
 		ssl_ciphers 'kEECDH+ECDSA+AESGCM kEECDH+AESGCM kEECDH+ECDSA+AES256 kEECDH+ECDSA+AES128 kEECDH+AES256 kEECDH+AES128 kEDH+AESGCM kEDH+AES256 kEDH+AES128 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
-		ssl_prefer_server_ciphers on;
 
 		root /home/ubuntu/html; # TODO
 		index index.html index.htm;

diff --git a/nginx.conf b/nginx.conf
@@ -89,7 +89,7 @@ http {
 		# If you don't need to support IE WinXP (or older) clients you can remove
 		# DES-CBC3-SHA so that the only suites supported have perfect forward secrecy.
 		###################
-		ssl_ciphers 'kEECDH+ECDSA+AESGCM kEECDH+AESGCM kEECDH+ECDSA+AES256 kEECDH+ECDSA+AES128 kEECDH+AES256 kEECDH+AES128 kEDH+AESGCM kEDH+AES256 kEDH+AES128 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+		ssl_ciphers 'kEECDH+ECDSA+AESGCM kEECDH+AESGCM kEECDH+ECDSA+AES256 kEECDH+ECDSA+AES128 kEECDH+AES256 kEECDH+AES128 kEDH+AESGCM kEDH+AES256 kEDH+AES128 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 		ssl_prefer_server_ciphers on;
 
 		root /home/ubuntu/html; # TODO

diff --git a/nginx.conf b/nginx.conf
@@ -81,30 +81,15 @@ http {
 		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
 		###################
-		# this list is basically a manually-defined, filtered/reordered list
-		# based on the recommendations from:
-		#   https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-		#   http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/
-		#
-		# Modifications include removing ECDSA, disabling almost all non-ephemeral
-		# key exchange ciphersuites to strongly prefer perfect forward secrecy
-		# (and only leave alternative as a fallback), removing fallbacks that
-		# wouldn't realistically happen in real browsers.
-		#
-		# We end up with a list of 12 ciphersuites: 4 TLS 1.2 ciphersuites, 4
-		# fallbacks with PFS, then 4 weaker fallbacks for compatibility.
-		# The low number of suites improves TLS handshake speed.
+		# List of 19 ciphersuites, in descending security order preference:
+    # 12 TLS 1.2 suites, 4 fallbacks with PFS, 4 fallbacks for compatibility.
 		#
 		# Expanded list: https://gist.github.com/mtigas/8591092/raw/gistfile1.txt
 		#
 		# If you don't need to support IE WinXP (or older) clients you can remove
-		# the weak fallbacks after DHE-RSA-AES128-SHA to force PFS ciphersuites
-		# for all clients and protect against downgrade attacks.
-		#
-		# For performance, AES256 ciphersuites can be removed, too. (Leaves 4 or 7
-		# ciphersuites.)
+		# DES-CBC3-SHA so that the only suites supported have perfect forward secrecy.
 		###################
-		ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:AES128-SHA:DES-CBC3-SHA;
+		ssl_ciphers 'kEECDH+ECDSA+AESGCM kEECDH+AESGCM kEECDH+ECDSA+AES256 kEECDH+ECDSA+AES128 kEECDH+AES256 kEECDH+AES128 kEDH+AESGCM kEDH+AES256 kEDH+AES128 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 		ssl_prefer_server_ciphers on;
 
 		root /home/ubuntu/html; # TODO

diff --git a/nginx.conf b/nginx.conf
@@ -67,6 +67,13 @@ http {
 		ssl_stapling on;
 		ssl_trusted_certificate /path/to/ssl_certificate.crt; # TODO
 
+		# Stronger Diffie-Hellman key exchange, using 4096bit key.
+		# (Default is a server-generated 1024bit key.) Comment out
+		# if you need to support older than IE8 or Java 7.
+		# Create this file with:
+		#   openssl dhparam -out /etc/nginx/dhparam4096.pem -rand /dev/urandom 4096
+		ssl_dhparam /etc/nginx/dhparam4096.pem;
+
 		###################
 		# Disable SSLv2 by not including it in this list.
 		# Add SSLv3 back in if you need to support IE6 (or older) clients

diff --git a/nginx.conf b/nginx.conf
@@ -136,7 +136,7 @@ http {
 		# without the Strict-Transport-Security header.)
 
 		listen 80;
-    # List ALL IPs/hostnames that can get to this machine.
+		# List ALL IPs/hostnames that can get to this machine.
 		server_name 127.0.0.1 123.123.123.123; # TODO
 		rewrite ^/(.*) https://securedrop.example.com/$1 permanent; # TODO
 
@@ -152,4 +152,4 @@ http {
 		add_header "X-Content-Security-Policy" "default-src 'self'";
 		server_tokens off;
 	}
-}
+}
diff --git a/nginx.conf b/nginx.conf
@@ -2,91 +2,50 @@
 # with no warranties or representations, and any use of it
 # is at the user's own risk.
 #
-# You will need to edit domain name information, IP addresses for redirection (at the bottom),
-# SSL certificate and key paths, and the "Public-Key-Pins" header.
+# You will need to edit domain name information, IP addresses for
+# redirection (at the bottom), SSL certificate and key paths, and
+# the "Public-Key-Pins" header. Search for any instance of "TODO".
 
 user www-data;
 worker_processes 4;
 pid /run/nginx.pid;
 
 events {
 	worker_connections 768;
-	# multi_accept on;
 }
 
 http {
-
-	##
-	# Basic Settings
-	##
-
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
-	# server_tokens off;
-
-	# server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
 
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
-	##
-	# Logging Settings
-	##
 
+	# Turn off logs
 	access_log off;
 	error_log off;
 
-	##
-	# Gzip Settings
-	##
-
 	gzip on;
 	gzip_disable "msie6";
 
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-	##
-	# nginx-naxsi config
-	##
-	# Uncomment it if you installed nginx-naxsi
-	##
-
-	#include /etc/nginx/naxsi_core.rules;
-
-	##
-	# nginx-passenger config
-	##
-	# Uncomment it if you installed nginx-passenger
-	##
-
-	#passenger_root /usr;
-	#passenger_ruby /usr/bin/ruby;
-
-	##
-	# Virtual Host Configs
-	##
 	#####
-	# main
+	# SSL host
 	#####
 	server {
 		listen 443 ssl;
-		server_name securedrop.example.com;
+		server_name securedrop.example.com; # TODO
 
-		add_header "Strict-Transport-Security" "max-age=86400";
-
 		# SEE THESE LINKS REGARDING HOW TO CONFIGURE THIS HEADER
 		# http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09
 		# http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html
+		# NOTE: only valid on SSL version of domain
 		add_header "Public-Key-Pins" "TODO";
-
+
+		add_header "Strict-Transport-Security" "max-age=31536000";
+
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
@@ -102,16 +61,17 @@ http {
 		ssl on;
 		ssl_session_cache shared:SSL:5m;
 		ssl_session_timeout 5m;
+		ssl_certificate_key /path/to/ssl_certificate.key; # TODO
+		ssl_certificate /path/to/ssl_certificate.crt; # TODO
+
 		ssl_stapling on;
-		ssl_certificate_key /path/to/ssl_certificate.key;
-		ssl_certificate /path/to/ssl_certificate.crt;
-		#ssl_trusted_certificate /path/to/ssl_certificate.crt; # if "ssl_certificate.crt" does not contain CA intermediate certificates as well as your certificate
+		ssl_trusted_certificate /path/to/ssl_certificate.crt; # TODO
 
 		###################
 		# Disable SSLv2 by not including it in this list.
-		# Can remove SSLv3 if you don't need to support IE6 (or older) clients
+		# Add SSLv3 back in if you need to support IE6 (or older) clients
 		###################
-		ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
 		###################
 		# this list is basically a manually-defined, filtered/reordered list
@@ -140,21 +100,22 @@ http {
 		ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:AES128-SHA:DES-CBC3-SHA;
 		ssl_prefer_server_ciphers on;
 
-		root /home/ubuntu/html;
+		root /home/ubuntu/html; # TODO
 		index index.html index.htm;
 		charset utf-8;
 	}
 	#####
-	# server redirects
+	# domain name redirect virtualhost
 	#####
 	server {
-		# Redirect HTTP access to the HTTPS instance.	
+		# Redirect HTTP access to the HTTPS instance.
 
 		listen 80;
-		server_name securedrop.example.com;
-		rewrite ^/(.*) https://securedrop.example.com/$1 permanent;
+		server_name securedrop.example.com; # TODO
+		rewrite ^/(.*) https://securedrop.example.com/$1 permanent; # TODO
+
+		add_header "Strict-Transport-Security" "max-age=31536000";
 
-		add_header "Strict-Transport-Security" "max-age=86400";
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
@@ -165,14 +126,19 @@ http {
 		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
 		add_header "Content-Security-Policy" "default-src 'self'";
 		add_header "X-Content-Security-Policy" "default-src 'self'";
+		server_tokens off;
 	}
+	#####
+	# other virtualhosts
+	#####
 	server {
 		# Redirect any other plain HTTP access to this server. (Same as above, but
 		# without the Strict-Transport-Security header.)
 
 		listen 80;
-		server_name 127.0.0.1 123.123.123.123; # add other IPs for this box here
-		rewrite ^/(.*) https://securedrop.example.com/$1 permanent;
+    # List ALL IPs/hostnames that can get to this machine.
+		server_name 127.0.0.1 123.123.123.123; # TODO
+		rewrite ^/(.*) https://securedrop.example.com/$1 permanent; # TODO
 
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
 		add_header "Pragma" "no-cache";
@@ -184,5 +150,6 @@ http {
 		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
 		add_header "Content-Security-Policy" "default-src 'self'";
 		add_header "X-Content-Security-Policy" "default-src 'self'";
+		server_tokens off;
 	}
-}
+}
diff --git a/nginx.conf b/nginx.conf
@@ -91,11 +91,11 @@ http {
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
 		add_header "X-Frame-Options" "DENY";
-		add_header "X-XSS-Protection" "1; mode-block";
+		add_header "X-XSS-Protection" "1; mode=block";
 		add_header "X-Content-Type-Options" "nosniff";
 		add_header "X-Download-Options" "noopen";
 		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
-		add_header "Content-Security-Policy" "default-rsc 'self'";
+		add_header "Content-Security-Policy" "default-src 'self'";
 		add_header "X-Content-Security-Policy" "default-src 'self'";
 		server_tokens off;
 
@@ -159,7 +159,7 @@ http {
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
 		add_header "X-Frame-Options" "DENY";
-		add_header "X-XSS-Protection" "1; mode-block";
+		add_header "X-XSS-Protection" "1; mode=block";
 		add_header "X-Content-Type-Options" "nosniff";
 		add_header "X-Download-Options" "noopen";
 		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
@@ -178,7 +178,7 @@ http {
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
 		add_header "X-Frame-Options" "DENY";
-		add_header "X-XSS-Protection" "1; mode-block";
+		add_header "X-XSS-Protection" "1; mode=block";
 		add_header "X-Content-Type-Options" "nosniff";
 		add_header "X-Download-Options" "noopen";
 		add_header "X-Permitted-Cross-Domain-Policies" "master-only";

diff --git a/nginx.conf b/nginx.conf
@@ -1,6 +1,9 @@
 # This configuration file is provided on an "as is" basis,
 # with no warranties or representations, and any use of it
 # is at the user's own risk.
+#
+# You will need to edit domain name information, IP addresses for redirection (at the bottom),
+# SSL certificate and key paths, and the "Public-Key-Pins" header.
 
 user www-data;
 worker_processes 4;
@@ -99,8 +102,10 @@ http {
 		ssl on;
 		ssl_session_cache shared:SSL:5m;
 		ssl_session_timeout 5m;
-		ssl_certificate /path/to/ssl_certificate.crt;
+		ssl_stapling on;
 		ssl_certificate_key /path/to/ssl_certificate.key;
+		ssl_certificate /path/to/ssl_certificate.crt;
+		#ssl_trusted_certificate /path/to/ssl_certificate.crt; # if "ssl_certificate.crt" does not contain CA intermediate certificates as well as your certificate
 
 		###################
 		# Disable SSLv2 by not including it in this list.
@@ -135,9 +140,6 @@ http {
 		ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:AES128-SHA:DES-CBC3-SHA;
 		ssl_prefer_server_ciphers on;
 
-		ssl_stapling on;
-		ssl_trusted_certificate /path/to/ssl_certificate.crt;
-
 		root /home/ubuntu/html;
 		index index.html index.htm;
 		charset utf-8;
@@ -146,10 +148,12 @@ http {
 	# server redirects
 	#####
 	server {
+		# Redirect HTTP access to the HTTPS instance.	
+
 		listen 80;
 		server_name securedrop.example.com;
 		rewrite ^/(.*) https://securedrop.example.com/$1 permanent;
-		
+
 		add_header "Strict-Transport-Security" "max-age=86400";
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
 		add_header "Pragma" "no-cache";
@@ -163,8 +167,22 @@ http {
 		add_header "X-Content-Security-Policy" "default-src 'self'";
 	}
 	server {
+		# Redirect any other plain HTTP access to this server. (Same as above, but
+		# without the Strict-Transport-Security header.)
+
 		listen 80;
 		server_name 127.0.0.1 123.123.123.123; # add other IPs for this box here
 		rewrite ^/(.*) https://securedrop.example.com/$1 permanent;
+
+		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
+		add_header "Pragma" "no-cache";
+		add_header "Expires" "-1";
+		add_header "X-Frame-Options" "DENY";
+		add_header "X-XSS-Protection" "1; mode-block";
+		add_header "X-Content-Type-Options" "nosniff";
+		add_header "X-Download-Options" "noopen";
+		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
+		add_header "Content-Security-Policy" "default-src 'self'";
+		add_header "X-Content-Security-Policy" "default-src 'self'";
 	}
 }
diff --git a/nginx.conf b/nginx.conf
@@ -90,10 +90,10 @@ http {
 		add_header "X-Frame-Options" "DENY";
 		add_header "X-XSS-Protection" "1; mode-block";
 		add_header "X-Content-Type-Options" "nosniff";
-		add_header "X-Content-Security-Policy" "default-src 'self'";
 		add_header "X-Download-Options" "noopen";
 		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
-		add_header "Content-Security-Policy" "default-rsc 'self'";	
+		add_header "Content-Security-Policy" "default-rsc 'self'";
+		add_header "X-Content-Security-Policy" "default-src 'self'";
 		server_tokens off;
 
 		ssl on;
@@ -149,17 +149,18 @@ http {
 		listen 80;
 		server_name securedrop.example.com;
 		rewrite ^/(.*) https://securedrop.example.com/$1 permanent;
+
 		add_header "Strict-Transport-Security" "max-age=86400";
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
 		add_header "X-Frame-Options" "DENY";
 		add_header "X-XSS-Protection" "1; mode-block";
 		add_header "X-Content-Type-Options" "nosniff";
-		add_header "X-Content-Security-Policy" "default-src 'self'";
 		add_header "X-Download-Options" "noopen";
 		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
-		add_header "Content-Security-Policy" "default-src 'self'";		
+		add_header "Content-Security-Policy" "default-src 'self'";
+		add_header "X-Content-Security-Policy" "default-src 'self'";
 	}
 	server {
 		listen 80;

diff --git a/nginx.conf b/nginx.conf
@@ -78,9 +78,12 @@ http {
 		server_name securedrop.example.com;
 
 		add_header "Strict-Transport-Security" "max-age=86400";
+
+		# SEE THESE LINKS REGARDING HOW TO CONFIGURE THIS HEADER
 		# http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09
 		# http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html
-		add_header "Public-Key-Pins" "max-age=86400; SSL_CERT_HASHES_HERE";
+		add_header "Public-Key-Pins" "TODO";
+
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
@@ -96,8 +99,8 @@ http {
 		ssl on;
 		ssl_session_cache shared:SSL:5m;
 		ssl_session_timeout 5m;
-		ssl_certificate SSL_CERTIFICATE_HERE;
-		ssl_certificate_key SSL_KEY_HERE;
+		ssl_certificate /path/to/ssl_certificate.crt;
+		ssl_certificate_key /path/to/ssl_certificate.key;
 
 		###################
 		# Disable SSLv2 by not including it in this list.
@@ -133,7 +136,7 @@ http {
 		ssl_prefer_server_ciphers on;
 
 		ssl_stapling on;
-		ssl_trusted_certificate SSL_CERTIFICATE_HERE;
+		ssl_trusted_certificate /path/to/ssl_certificate.crt;
 
 		root /home/ubuntu/html;
 		index index.html index.htm;

diff --git a/nginx.conf b/nginx.conf
@@ -1,3 +1,7 @@
+# This configuration file is provided on an "as is" basis,
+# with no warranties or representations, and any use of it
+# is at the user's own risk.
+
 user www-data;
 worker_processes 4;
 pid /run/nginx.pid;
@@ -71,14 +75,13 @@ http {
 	#####
 	server {
 		listen 443 ssl;
-		server_name securedrop.propublica.org;
+		server_name securedrop.example.com;
 
 		add_header "Strict-Transport-Security" "max-age=86400";
 		# http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09
 		# http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html
-		add_header "Public-Key-Pins" "max-age=86400; pin-sha256=rhdxr9/utGWqudj8bNbG3sEcyMYn5wspiI5mZWkHE8A=; pin-sha256=lT09gPUeQfbYrlxRtpsHrjDblj9Rpz+u7ajfCrg4qDM=";
+		add_header "Public-Key-Pins" "max-age=86400; SSL_CERT_HASHES_HERE";
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
-		#add_header "Set-Cookie" "^(.*)$ $;HttpOnly";
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
 		add_header "X-Frame-Options" "DENY";
@@ -141,11 +144,10 @@ http {
 	#####
 	server {
 		listen 80;
-		server_name securedrop.propublica.org;
-		rewrite ^/(.*) https://securedrop.propublica.org/$1 permanent;
+		server_name securedrop.example.com;
+		rewrite ^/(.*) https://securedrop.example.com/$1 permanent;
 		add_header "Strict-Transport-Security" "max-age=86400";
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
-		add_header "Set-Cookie" "^(.*)$ $;HttpOnly";
 		add_header "Pragma" "no-cache";
 		add_header "Expires" "-1";
 		add_header "X-Frame-Options" "DENY";
@@ -158,7 +160,7 @@ http {
 	}
 	server {
 		listen 80;
-		server_name 127.0.0.1 54.235.104.68; # add other IPs for this box here
-		rewrite ^/(.*) https://securedrop.propublica.org/$1 permanent;
+		server_name 127.0.0.1 123.123.123.123; # add other IPs for this box here
+		rewrite ^/(.*) https://securedrop.example.com/$1 permanent;
 	}
 }
diff --git a/nginx.conf b/nginx.conf
@@ -29,8 +29,8 @@ http {
 	# Logging Settings
 	##
 
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
+	access_log off;
+	error_log off;
 
 	##
 	# Gzip Settings

diff --git a/nginx.conf b/nginx.conf
@@ -91,6 +91,8 @@ http {
 		server_tokens off;
 
 		ssl on;
+		ssl_session_cache shared:SSL:5m;
+		ssl_session_timeout 5m;
 		ssl_certificate SSL_CERTIFICATE_HERE;
 		ssl_certificate_key SSL_KEY_HERE;
 

diff --git a/nginx.conf b/nginx.conf
@@ -156,7 +156,7 @@ http {
 	}
 	server {
 		listen 80;
-		server_name 127.0.0.1; #add other public facing IPs here
+		server_name 127.0.0.1 54.235.104.68; # add other IPs for this box here
 		rewrite ^/(.*) https://securedrop.propublica.org/$1 permanent;
 	}
 }
diff --git a/nginx.conf b/nginx.conf
@@ -74,6 +74,8 @@ http {
 		server_name securedrop.propublica.org;
 
 		add_header "Strict-Transport-Security" "max-age=86400";
+		# http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09
+		# http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html
 		add_header "Public-Key-Pins" "max-age=86400; pin-sha256=rhdxr9/utGWqudj8bNbG3sEcyMYn5wspiI5mZWkHE8A=; pin-sha256=lT09gPUeQfbYrlxRtpsHrjDblj9Rpz+u7ajfCrg4qDM=";
 		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
 		#add_header "Set-Cookie" "^(.*)$ $;HttpOnly";
@@ -86,6 +88,7 @@ http {
 		add_header "X-Download-Options" "noopen";
 		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
 		add_header "Content-Security-Policy" "default-rsc 'self'";	
+		server_tokens off;
 
 		ssl on;
 		ssl_certificate SSL_CERTIFICATE_HERE;
@@ -129,6 +132,7 @@ http {
 
 		root /home/ubuntu/html;
 		index index.html index.htm;
+		charset utf-8;
 	}
 	#####
 	# server redirects
@@ -155,4 +159,4 @@ http {
 		server_name 127.0.0.1; #add other public facing IPs here
 		rewrite ^/(.*) https://securedrop.propublica.org/$1 permanent;
 	}
-}
+}
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,158 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# nginx-naxsi config
+	##
+	# Uncomment it if you installed nginx-naxsi
+	##
+
+	#include /etc/nginx/naxsi_core.rules;
+
+	##
+	# nginx-passenger config
+	##
+	# Uncomment it if you installed nginx-passenger
+	##
+
+	#passenger_root /usr;
+	#passenger_ruby /usr/bin/ruby;
+
+	##
+	# Virtual Host Configs
+	##
+	#####
+	# main
+	#####
+	server {
+		listen 443 ssl;
+		server_name securedrop.propublica.org;
+
+		add_header "Strict-Transport-Security" "max-age=86400";
+		add_header "Public-Key-Pins" "max-age=86400; pin-sha256=rhdxr9/utGWqudj8bNbG3sEcyMYn5wspiI5mZWkHE8A=; pin-sha256=lT09gPUeQfbYrlxRtpsHrjDblj9Rpz+u7ajfCrg4qDM=";
+		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
+		#add_header "Set-Cookie" "^(.*)$ $;HttpOnly";
+		add_header "Pragma" "no-cache";
+		add_header "Expires" "-1";
+		add_header "X-Frame-Options" "DENY";
+		add_header "X-XSS-Protection" "1; mode-block";
+		add_header "X-Content-Type-Options" "nosniff";
+		add_header "X-Content-Security-Policy" "default-src 'self'";
+		add_header "X-Download-Options" "noopen";
+		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
+		add_header "Content-Security-Policy" "default-rsc 'self'";	
+
+		ssl on;
+		ssl_certificate SSL_CERTIFICATE_HERE;
+		ssl_certificate_key SSL_KEY_HERE;
+
+		###################
+		# Disable SSLv2 by not including it in this list.
+		# Can remove SSLv3 if you don't need to support IE6 (or older) clients
+		###################
+		ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+
+		###################
+		# this list is basically a manually-defined, filtered/reordered list
+		# based on the recommendations from:
+		#   https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+		#   http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/
+		#
+		# Modifications include removing ECDSA, disabling almost all non-ephemeral
+		# key exchange ciphersuites to strongly prefer perfect forward secrecy
+		# (and only leave alternative as a fallback), removing fallbacks that
+		# wouldn't realistically happen in real browsers.
+		#
+		# We end up with a list of 12 ciphersuites: 4 TLS 1.2 ciphersuites, 4
+		# fallbacks with PFS, then 4 weaker fallbacks for compatibility.
+		# The low number of suites improves TLS handshake speed.
+		#
+		# Expanded list: https://gist.github.com/mtigas/8591092/raw/gistfile1.txt
+		#
+		# If you don't need to support IE WinXP (or older) clients you can remove
+		# the weak fallbacks after DHE-RSA-AES128-SHA to force PFS ciphersuites
+		# for all clients and protect against downgrade attacks.
+		#
+		# For performance, AES256 ciphersuites can be removed, too. (Leaves 4 or 7
+		# ciphersuites.)
+		###################
+		ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:AES128-SHA:DES-CBC3-SHA;
+		ssl_prefer_server_ciphers on;
+
+		ssl_stapling on;
+		ssl_trusted_certificate SSL_CERTIFICATE_HERE;
+
+		root /home/ubuntu/html;
+		index index.html index.htm;
+	}
+	#####
+	# server redirects
+	#####
+	server {
+		listen 80;
+		server_name securedrop.propublica.org;
+		rewrite ^/(.*) https://securedrop.propublica.org/$1 permanent;
+		add_header "Strict-Transport-Security" "max-age=86400";
+		add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
+		add_header "Set-Cookie" "^(.*)$ $;HttpOnly";
+		add_header "Pragma" "no-cache";
+		add_header "Expires" "-1";
+		add_header "X-Frame-Options" "DENY";
+		add_header "X-XSS-Protection" "1; mode-block";
+		add_header "X-Content-Type-Options" "nosniff";
+		add_header "X-Content-Security-Policy" "default-src 'self'";
+		add_header "X-Download-Options" "noopen";
+		add_header "X-Permitted-Cross-Domain-Policies" "master-only";
+		add_header "Content-Security-Policy" "default-src 'self'";		
+	}
+	server {
+		listen 80;
+		server_name 127.0.0.1; #add other public facing IPs here
+		rewrite ^/(.*) https://securedrop.propublica.org/$1 permanent;
+	}
+}
No results found