From cb3b8bdc9b79ae4da262a4eb8a496177e80e9d7b Mon Sep 17 00:00:00 2001 From: metaclassing Date: Sun, 1 Apr 2018 10:28:39 -0500 Subject: [PATCH] added http public key pinning config file for LE and CF --- global/logging.conf | 4 ++-- include/hpkp.conf | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100755 include/hpkp.conf diff --git a/global/logging.conf b/global/logging.conf index 0b89ccf..1c77187 100644 --- a/global/logging.conf +++ b/global/logging.conf @@ -2,8 +2,8 @@ server_tokens off; # Set the logging to log more of everything -#log_format combin3d '$http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" ' -log_format combin3d '$remote_addr - $user [$time_local] "$host" "$request" ' +#log_format combin3d '$remote_addr - $user [$time_local] "$host" "$request" ' +log_format combin3d '$http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $request_time'; access_log /var/log/nginx/access.log combin3d; diff --git a/include/hpkp.conf b/include/hpkp.conf new file mode 100755 index 0000000..475f55d --- /dev/null +++ b/include/hpkp.conf @@ -0,0 +1,19 @@ +# Chain 1 - Cloudflare +# PKP hash for sni68126.cloudflaressl.com: pin-sha256="XCZYTyuFtPOFt/AqwUao7BEMfrBt0zDZYEJD5wAcK3w=" +# PKP hash for COMODO ECC Domain Validation Secure Server CA 2: pin-sha256="x9SZw6TwIqfmvrLZ/kz1o0Ossjmn728BnBKpUFqGNVM=" +# * PKP hash for COMODO ECC Certification Authority: pin-sha256="58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU=" +# PKP hash for AddTrust External CA Root: pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=" + +# Chain 2 - Lets Encrypt: +# PKP hash for www.myawesomewebsite.example: pin-sha256="NyCA7M99ZkTZQTR0wdiqCFP2VYezUa2jTBI7EezjV64=" +# * PKP hash for Let's Encrypt Authority X3: pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" +# PKP hash for DST Root CA X3: pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=" + +# Calculated HPKP header should be: +# add_header Public-Key-Pins +# pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; - Lets Encrypt +# pin-sha256="58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU="; - Cloudflare +# max-age=15552000; includeSubDomains; report-uri="https://secureobscure.report-uri.io/r/default/hpkp/enforce"'; + +# Compressed into one line: +add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU="; max-age=15552000; includeSubDomains;"' always;