added http public key pinning config file for LE and CF

NginxRocks · Apr 1, 2018 · cb3b8bd · cb3b8bd
1 parent aff937f
commit cb3b8bd
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/global/logging.conf b/global/logging.conf
@@ -2,8 +2,8 @@
 server_tokens off;
 
 # Set the logging to log more of everything
-#log_format combin3d '$http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" '
-log_format combin3d '$remote_addr - $user [$time_local] "$host" "$request" '
+#log_format combin3d '$remote_addr - $user [$time_local] "$host" "$request" '
+log_format combin3d '$http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" $request_time';
 access_log /var/log/nginx/access.log combin3d;

diff --git a/include/hpkp.conf b/include/hpkp.conf
@@ -0,0 +1,19 @@
+# Chain 1 - Cloudflare
+#	PKP hash for sni68126.cloudflaressl.com: pin-sha256="XCZYTyuFtPOFt/AqwUao7BEMfrBt0zDZYEJD5wAcK3w="
+#	PKP hash for COMODO ECC Domain Validation Secure Server CA 2: pin-sha256="x9SZw6TwIqfmvrLZ/kz1o0Ossjmn728BnBKpUFqGNVM="
+# *	PKP hash for COMODO ECC Certification Authority: pin-sha256="58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU="
+#	PKP hash for AddTrust External CA Root: pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
+
+# Chain 2 - Lets Encrypt:
+#	PKP hash for www.myawesomewebsite.example: pin-sha256="NyCA7M99ZkTZQTR0wdiqCFP2VYezUa2jTBI7EezjV64="
+# *	PKP hash for Let's Encrypt Authority X3: pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
+#	PKP hash for DST Root CA X3: pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="
+
+# Calculated HPKP header should be:
+#	add_header Public-Key-Pins 
+#	pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";	- Lets Encrypt
+#	pin-sha256="58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU=";	- Cloudflare
+#	max-age=15552000; includeSubDomains; report-uri="https://secureobscure.report-uri.io/r/default/hpkp/enforce"';
+
+# Compressed into one line:
+add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU="; max-age=15552000; includeSubDomains;"' always;