From 63a4d69209a6d00efa65fdce34fb2a9ef6c96c7d Mon Sep 17 00:00:00 2001
From: "henry.chen" <henry.chen@trustaisa.com>
Date: Tue, 17 Jul 2018 10:32:54 +0800
Subject: [PATCH] nginx config: use Expect-CT repleace HPKP

---
 conf/nginx/domain/eiblog.conf | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/conf/nginx/domain/eiblog.conf b/conf/nginx/domain/eiblog.conf
index efb1d0d..016b736 100644
--- a/conf/nginx/domain/eiblog.conf
+++ b/conf/nginx/domain/eiblog.conf
@@ -6,20 +6,20 @@ server {
 
     access_log                   /data/eiblog/logdata/nginx.log;
 
-    # ip 黑名单
+    # IP黑名单.
     include                      /data/eiblog/conf/nginx/ip.blacklist;
 
-    # letsencrypt v2已内置
+    # letsencrypt v2已内置, 忽略.
     # https://imququ.com/post/certificate-transparency.html#toc-2
     #ssl_ct                       on;
     #ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
     #ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;
 
-    # 中间证书 + 根证书
+    # 中间证书 + 根证书.
     # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
     ssl_trusted_certificate      /data/eiblog/conf/ssl/full_chained.pem;
 
-    # 站点证书 + 中间证书，私钥
+    # 站点证书 + 中间证书, 私钥.
     ssl_certificate              /data/eiblog/conf/ssl/domain.rsa.pem;
     ssl_certificate_key          /data/eiblog/conf/ssl/domain.rsa.key;
     # ssl_certificate              /data/eiblog/conf/ssl/domain.ecc.pem;
@@ -29,17 +29,17 @@ server {
     # https://weakdh.org/sysadmin.html
     ssl_dhparam                  /data/eiblog/conf/ssl/dhparams.pem;
 
+    # 单机部署可以不指定.
     # openssl rand 48 > session_ticket.key
-    # 单机部署可以不指定 ssl_session_ticket_key
     # ssl_session_ticket_key     /data/eiblog/conf/ssl/session_ticket.key;
 
+    ssl_prefer_server_ciphers    on;
     # https://github.com/cloudflare/sslconfig/blob/master/conf
     ssl_ciphers                  EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
 
-    # 如果启用了 RSA + ECDSA 双证书，Cipher Suite 可以参考以下配置：
+    # 如果启用 RSA + ECDSA 双证书, Cipher Suite 可以参考以下配置.
     # ssl_ciphers                 EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
 
-    ssl_prefer_server_ciphers    on;
     ssl_protocols                TLSv1 TLSv1.1 TLSv1.2;
     ssl_session_cache            shared:SSL:50m;
     ssl_session_timeout          1d;
@@ -48,6 +48,7 @@ server {
     # ssl stapling
     ssl_stapling                 on;
     ssl_stapling_verify          on;
+
     resolver                     114.114.114.114 8.8.8.8 valid=300s;
     resolver_timeout             10s;
 
@@ -59,7 +60,7 @@ server {
         rewrite                  ^/(.*)$  https://deepzz.com/$1 permanent;
     }
 
-    # webmaster 站点验证相关
+    # webmaster 站点验证相关.
     location ~* (google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ {
         root                     /data/eiblog/static;
         expires                  1d;
@@ -70,7 +71,7 @@ server {
 
         add_header               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 
-        # deny 将完全不允许页面被嵌套，可能会导致一些异常。如果遇到这样的问题，建议改成 SAMEORIGIN
+        # deny 将完全不允许页面被嵌套，可能会导致一些异常。如果遇到这样的问题，建议改成 SAMEORIGIN.
         # https://imququ.com/post/web-security-and-response-header.html#toc-1
         add_header               X-Frame-Options deny;
         add_header               X-Powered-By eiblog/1.3.0;
@@ -78,7 +79,7 @@ server {
 
         proxy_set_header         Connection       "";
         proxy_set_header         Host             deepzz.com;
-        proxy_set_header         X-Real_IP        $remote_addr;
+        proxy_set_header         X-Real-IP        $remote_addr;
         proxy_set_header         X-Forwarded-For  $proxy_add_x_forwarded_for;
 
         proxy_pass               http://127.0.0.1:9000;
@@ -90,11 +91,14 @@ server {
         add_header               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
         add_header               X-Frame-Options deny;
         add_header               X-Content-Type-Options nosniff;
-        # 改deepzz相关的
+        # 改deepzz相关的.
         add_header               Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; media-src https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
-        # 中间证书证书指纹
+        # 中间证书证书指纹, chrome69 将忽略, 用 expect-ct 替代.
         # https://imququ.com/post/http-public-key-pinning.html
-        add_header               Public-Key-Pins 'pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000;';
+        #add_header               Public-Key-Pins 'pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000;';
+        # 期望 ct.
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
+        add_header               Expect-CT "max-age=180";
         add_header               Cache-Control no-cache;
         add_header               X-Via Aliyun.QingDao;
         add_header               X-XSS-Protection "1; mode=block";