I'm getting nowhere. I still got an A+, but now I'm marked down because
I don't support TLS 1.2.

Marked as weak in SSL Labs' test.

SSL Labs' test complains that it doesn't offer forward secrecy.

Prettier editing.

Up to now I supported older browsers by supporting older versions of TLS
and cipher suites. I still think it makes sense for my blog, etc. but
not for Nextcloud or GitLab. So here's the first step, make the previous
default SSL configuration be ssl-legacy (split out the common parts to
ssl-common) and next is ssl-modern.

It has a hard-coded server name, it should be in the that server's
config.

This reverts commit 7885e91e.

So I can get the real client IP in the service.

Snippet to redirect to https if Upgrade-Insecure-Requests is set in the
request.

How can I miss the opportunity to interfere with Google in any way?

Mainly ChaCha20. Also disable AESCCM (as per
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
it's slow and uncommon).

Vouch uses the Host header for calculating the JWT but we can't override
that (proxying won't work with an incorrect header). So instead it to
each deployment so we don't have multiple proxies and can override the
Host header.

Using vouch.shore.co.il.

I'm moving some services to ns4, some will remain on host01. I'm
branching to have specific deployment for each host. So have a minimal
and generic master branch so common changes will be done there and I'll
rebase the other branches on top of it.

It could lead to a case where the site is effectively offline.

- Replace file with configuration snippet.
- Allow some domains, disallow others.

We set it in the proxy anyway, don't send 2 Strict-Transport-Security
headers.