SSL vhost stuff

Not that I can fix any of those either.


I set up ssl with Let's Encrypt for an experiment yesterday following a handy guide on the FreeBSD wiki . The guide suggested this mozilla tool for generating server configs with good parameters.

With the tool I was only able to hit an A rating on the ssllabs testing site, the A+ rating was annoyingly elusive. I am using nginx as vhost for a go web service, for HSTS a header has to be appended to the response. The config from Mozilla does this for nginx like this:

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

But, the hosted application has control over the response headers. nginx can be configured to always set the header with the always flag:

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=15768000" always;

Reading: Gun Machine, The Difference Engine