From 62df8cc1f0787e60e9c697c7d2499a641af2147f Mon Sep 17 00:00:00 2001 From: Rigel Kent Date: Tue, 3 Mar 2020 11:40:45 +0100 Subject: [PATCH] Reword HSTS configuration to warn user of nginx's add_header shortcomings --- support/nginx/peertube | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/support/nginx/peertube b/support/nginx/peertube index 50d3a919f..14e60ed7d 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube @@ -33,6 +33,8 @@ server { ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 + # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives + #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; # Configure with your resolvers # resolver $DNS-IP-1 $DNS-IP-2 valid=300s; @@ -49,12 +51,6 @@ server { # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path # client_body_temp_path /var/www/peertube/storage/nginx/; - # Enable HSTS - # Tells browsers to stick with HTTPS and never visit the insecure HTTP - # version. Once a browser sees this header, it will only visit the site over - # HTTPS for the next 2 years: (read more on hstspreload.org) - #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - access_log /var/log/nginx/peertube.example.com.access.log; error_log /var/log/nginx/peertube.example.com.error.log;