Commit graph

73 commits

Author SHA1 Message Date
Akihiko Odaki
124598b206 Add dependencies for CLD3 (#235)
This reflects commit d5cabfe5c65ac29d2f9c151b46c01a9fd885a9e0 in mastodon
repository.
2017-05-10 15:46:17 +02:00
Isao Sugimoto
e97ec8f8ff more better instructions of debian jessie-backports (#232)
* more better instructions of debian jessie-backports

* minor fix
2017-05-09 09:10:10 -07:00
Ash Furrow
3ad0c4ab19 Updates for Docker documentation. See discussion in #136. (#214) 2017-05-09 10:12:02 +02:00
Darius Kazemi
03ee8bedfa Add a Debian 8 installation note (#223)
* Add a Debian 8 installation note

According to the conversation in f0a863feec, Debian 8 installs
an older version of nginx by default. This adds a note telling people
how to install a newer one.

* updating wording
2017-05-09 08:10:16 +02:00
Darius Kazemi
5b91212370 Merge pull request #204 from nolanlawson/fwenzel-patch-1
Add default CSP (take 2)
2017-05-08 11:16:49 -07:00
Nolan Lawson
8a57435b88 remove referrer-policy: strict-origin-when-cross-origin 2017-05-07 19:42:46 -07:00
Nolan Lawson
444beff404 remove unsafe-inline from script-src 2017-05-07 19:34:52 -07:00
Darius Kazemi
234175e30a Merge pull request #210 from tootsuite/Gargron-patch-1
Fix Node.js installation recommendation, also use 6.x
2017-05-07 10:15:22 -07:00
Eugen Rochko
50edeb67e2 Merge pull request #196 from kagucho/master
Use "sudo -u" instead of "sudo su"
2017-05-07 14:45:59 +02:00
Eugen Rochko
5d9994a4c2 Fix Node.js installation recommendation, also use 6.x 2017-05-06 04:38:01 +02:00
Isao Sugimoto
a3097c94e5 Instructions for installing on CentOS
related: #13
2017-05-05 04:33:04 +09:00
Nolan Lawson
5bd6d4de27 update image-src/media-src to be more lax 2017-05-03 22:39:33 -07:00
Akihiko Odaki
cab815878c Use "sudo -u" instead of "sudo su"
"sudo su" limits the capability of sudo to log the operations. -u option is
more straightforward and has better logging.
2017-05-03 11:02:55 +09:00
Nolan Lawson
718daad4a8 Add photos and avatars to static/immutable cache (#184) 2017-05-01 16:57:16 +02:00
Nolan Lawson
f0a863feec Recommend HTTP/2 in the nginx config (#178) 2017-05-01 16:35:16 +02:00
Bjarni Rúnar Einarsson
72ed10378f Avoid hard-coding ciphers into configuration (#171)
* Avoid hard-coding ciphers into configuration

This change allows OpenSSL to choose the most appropriate available cipher(s) from the HIGH cipher suite. This is sufficient to get an A on the SSLLabs.com tests suite. If MEDIUM is allowed as well, the grade drops to a B which is still more than adequate for most deployments.

This type of configuration would prevent problems such as the current inability of Tusky on Android 7 devices to connect to some Mastodon instances.

The main benefit though, is this delegates the decisions about which ciphers are "good" and which ciphers are "bad" to the experts; the distribution security teams and the OpenSSL developers. If a weakness is found in a particular cipher it will get moved from HIGH to one of the lower classes (or removed entirely) and this will get deployed just like any other security update. Similarly, if new stronger ciphers are standardized (such as Curve 25519) - these will immediately become available without needing to change the configuration.

Hope this helps!

Note: I have not been able to test this change with Mastodon myself. I am using these settings in production elsewhere though, and they work quite well. Alternately, if people don't want to trust the OpenSSL definitions, please consider taking a look at https://wiki.mozilla.org/Security/Server_Side_TLS and implementing the recommendations from there.

* Also avoid SHA1

As requested during review. :)

* Fix a typo in the ssl_ciphers line

I wrote !SHA1, should have written just !SHA. Very sorry about the noise.
2017-04-27 22:25:39 +02:00
wxcafé
938575a679 Revert "Avoid hard-coding ciphers into configuration (#122)" (#170)
This reverts commit fc79d23ad0.
2017-04-27 22:15:37 +02:00
Bjarni Rúnar Einarsson
fc79d23ad0 Avoid hard-coding ciphers into configuration (#122)
* Avoid hard-coding ciphers into configuration

This change allows OpenSSL to choose the most appropriate available cipher(s) from the HIGH cipher suite. This is sufficient to get an A on the SSLLabs.com tests suite. If MEDIUM is allowed as well, the grade drops to a B which is still more than adequate for most deployments.

This type of configuration would prevent problems such as the current inability of Tusky on Android 7 devices to connect to some Mastodon instances.

The main benefit though, is this delegates the decisions about which ciphers are "good" and which ciphers are "bad" to the experts; the distribution security teams and the OpenSSL developers. If a weakness is found in a particular cipher it will get moved from HIGH to one of the lower classes (or removed entirely) and this will get deployed just like any other security update. Similarly, if new stronger ciphers are standardized (such as Curve 25519) - these will immediately become available without needing to change the configuration.

Hope this helps!

Note: I have not been able to test this change with Mastodon myself. I am using these settings in production elsewhere though, and they work quite well. Alternately, if people don't want to trust the OpenSSL definitions, please consider taking a look at https://wiki.mozilla.org/Security/Server_Side_TLS and implementing the recommendations from there.

* Also avoid SHA1

As requested during review. :)
2017-04-27 22:13:27 +02:00
178inaba
fbb0f346c3 Add yarn install option 2017-04-24 22:21:23 +09:00
Eugen
645fd80eff Merge pull request #134 from zorun/letsencrypt
Production guide: add support for let's encrypt in the nginx config
2017-04-23 06:00:14 +02:00
Nolan Lawson
8bc1fd2194 only add cache-control, remove comment 2017-04-22 17:09:39 -07:00
Nolan Lawson
32f4c5319f add nginx config for static assets 2017-04-22 16:19:53 -07:00
Baptiste Jonglez
a8d244ad42 Production guide: add support for let's encrypt in the nginx config
This notably fixes potential issues like this one https://github.com/tootsuite/mastodon/issues/1665
2017-04-22 18:44:22 +02:00
Fred Wenzel
b98af5e96d Add default CSP
Add a default CSP that allows anything from the local domain, plus inline styles, data: URIs, and no framing.
2017-04-21 21:57:48 -07:00
cubefoo
553d04cf43 update nginx ssl config (#120)
To further increase security add a strong Diffie-Hellman group, which is standard practice when setting up ssl certs. Anyone who can setup letsencrypt can also setup a DH group.
2017-04-22 00:28:43 +02:00
Tachibana waita
509793419d add git fetch line to upgrade section (#110) 2017-04-20 20:06:21 +02:00
wxcafé
3c211890df Fixes update section 2017-04-20 02:17:52 +02:00
Sergiusz Bazański
95a6040458 Mention yarn install in production upgrade guide (#62) 2017-04-19 18:44:07 +02:00
Matt Jankowski
4b67a3574b Import from main repo README (#82)
* Add docker guide from main repo readme

* Add maintenance tasks doc to running section

* Clean up markdown in prod guide

* Move guidance to use tagged releases to docs

* Move local domain and host config to docs repo

* Title of page

* Update Production-guide.md
2017-04-18 16:32:47 +02:00
Florent Viel
1a82d42d76 fix typo (#86) 2017-04-18 16:14:20 +02:00
Erwan Leboucher
0b5cb11d08 Use the united command for daily task (#81)
commit of mastodon here e17f9d5e1a
2017-04-17 17:13:15 +02:00
Dolf RATTMANN
a893d018ba Prevent people from pulling master in production (#71) 2017-04-17 00:32:34 +02:00
wxcafé
eb32fc9738 Specifies to run the latest tagged release 2017-04-16 16:14:31 +02:00
Edwin Torres
e743a88870 Fixed grammatical error and incorrect icon filename (#45)
* Fixed grammatical error. 'Setup' should be 'set up' in two places

* Fixed incorrect filename for Follow icon
2017-04-15 01:10:09 +02:00
James Moore
3cfacecb6c moved things into alternatives.md 2017-04-14 15:53:38 -07:00
wxcafé
bdf7d53c9a Merge pull request #29 from jemus42/patch-1
Add info about already set HTTP headers
2017-04-14 02:07:34 +02:00
wxcafé
6e431d26de Removes duplicate HSTS directive 2017-04-14 02:03:03 +02:00
wxcafé
368d815e4d Removes the includeSubDomains directive from HSTS 2017-04-14 02:00:01 +02:00
wxcafé
f2814435d5 Merge branch 'master' into patch-2 2017-04-14 01:56:54 +02:00
wxcafé
5bbee7f69e Merge pull request #14 from datn/master
made pg_hba.conf addition with ident for Ubuntu 16.04
2017-04-14 01:53:07 +02:00
wxcafé
5c7a3ec16c Merge pull request #12 from staticsafe/master
Use 127.0.0.1 instead of localhost in Sidekiq proxy_pass.
2017-04-14 01:50:51 +02:00
Lukas Burk
dae0d21d57 Add info about already set HTTP headers
Intended to avoid setting duplicate HTTP headers which will cause issues with tools like Mozilla Observatory many people use to evaluate an instance's security.
2017-04-13 19:37:33 +02:00
wxcafé
d960311faa Merge pull request #23 from foozmeat/pr-cron
simplified the cronjob section
2017-04-13 19:30:43 +02:00
James Moore
b8cd7a99d4 removed weird dot characters 2017-04-13 10:28:57 -07:00
codl
0005b49faf example nginx: remove includeSubDomains from hsts 2017-04-13 10:28:50 +02:00
James Moore
9c679e3741 simplified the cronjob section 2017-04-12 21:57:04 -07:00
Angristan
d92bd4544e Add IPv6 for port 443 2017-04-12 16:07:26 +02:00
datn
98095b39bd forgot to restart postgres; more exact match on sed 2017-04-11 22:11:43 -07:00
datn
e55c767f50 made pg_hba.conf addition with ident for Ubuntu 16.04 2017-04-11 22:00:57 -07:00
staticsafe
036c8fdb8c Use 127.0.0.1 instead of localhost in Sidekiq proxy_pass.
Sidekiq only listens on v4 and using localhost will create
non-usable connections to ::1
2017-04-11 23:27:25 +00:00