GitLab

I'm getting nowhere. I still got an A+, but now I'm marked down because
I don't support TLS 1.2.

Marked as weak in SSL Labs' test.

SSL Labs' test complains that it doesn't offer forward secrecy.

Prettier editing.

Up to now I supported older browsers by supporting older versions of TLS
and cipher suites. I still think it makes sense for my blog, etc. but
not for Nextcloud or GitLab. So here's the first step, make the previous
default SSL configuration be ssl-legacy (split out the common parts to
ssl-common) and next is ssl-modern.

Use the git skeleton file. Apply changes from the new hooks.

It has a hard-coded server name, it should be in the that server's
config.

This reverts commit 7885e91e.

So I can get the real client IP in the service.

If the acme challenge is in a location block but the default redirection
is not, the default always takes precedence (Nginx won't resolve the
order between the different directives, but it will between different
location blocks).

Snippet to redirect to https if Upgrade-Insecure-Requests is set in the
request.

How can I miss the opportunity to interfere with Google in any way?

Login every 4 hours isn't reasonable. A week seems better to me.

Mainly ChaCha20. Also disable AESCCM (as per
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
it's slow and uncommon).

Vouch uses the Host header for calculating the JWT but we can't override
that (proxying won't work with an incorrect header). So instead it to
each deployment so we don't have multiple proxies and can override the
Host header.