SSL vhost stuff
Ode To My Family #comic #sysadmin #linux #development #CloudComputing https://t.co/hu0A3odXn2 pic.twitter.com/RiawlwbyzA
— turnoff.us (@turnoff_us) March 9, 2017
Not that I can fix any of those either.
I set up ssl with Let's Encrypt for an experiment yesterday following a handy guide on the FreeBSD wiki . The guide suggested this mozilla tool for generating server configs with good parameters.
With the tool I was only able to hit an A rating on the
ssllabs
testing
site, the A+ rating was annoyingly elusive. I am using
nginx
as vhost for a
go web service, for HSTS a header has to be appended to the response. The
config from Mozilla does this for
nginx
like this:
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
But, the hosted application has control over the response headers.
nginx
can
be configured to always set the header with the
always
flag:
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=15768000" always;
Reading: Gun Machine, The Difference Engine