by Xangis on 6/30/14, 4:32 AM with 2 comments
by moduloo on 6/30/14, 5:47 AM
1. combine all listen 80 - serverblocks into one, and then
return 301 https://$host$request_uri; instead of rewrite, it is faster and you can skip the if (scheme) - part, because if is evil http://wiki.nginx.org/IfIsEvil
2. where are your ciphers? they are bad anyway and doesnt seem to be the defaults, and RC4 as preferred ciphers, phew!
3. you are vulnerable to the latest CCS-vuln https://8ack.de/scan/result/sslvulns/71ba019e9d4bf25fd422ab0...
4. you use an quite old nginx-version; debian? you should use a newer one that supports SPDY (faster loading for all those images)
5. OH NOES .... https://wbsrch.com/admin/ rule nr. 1: never expose admin/backend-logins to the interwebs
6. no HSTS
7. you support TLS 1.2., but no PFS, is there a reason for this? otherwise, this is a bad decision https://www.ssllabs.com/ssltest/analyze.html?d=wbsrch.com
8. define STATIC - resouces with django; advantage: you dont have to try_files and can skip the regex-location for static content https://docs.djangoproject.com/en/dev/howto/static-files/
9. why did you turned off ssl_session_cache??? https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#opt...
10. use proxy_cache for /
11. turn off server_tokens e3c4676d14a8ddd07d140f6d3e771ae8994ff5f4a159ba70fa5f5a9eaf026ada9a9f61021ef5ec27466718573c8a73621d119c385eb284fe322eaefaff2d1b42
more on nginx + ssl: https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/