release 1.12.0

65d1d7ed · Simon · 82ff785b · 65d1d7ed · 65d1d7ed · 65d1d7ed
Commit 65d1d7ed authored Nov 25, 2019 by Simon
5 changed files
--- a/.env
+++ b/.env
@@ -2,7 +2,7 @@ PROJECT=biuro-staging
 IMAGE_NGINX=fholzer/nginx-brotli
 IMAGE_MYSQL=mariadb:10.3
-IMAGE_WORDPRESS=biuro/web:1.11.1
+IMAGE_WORDPRESS=biuro/web:1.12.0
 IMAGE_WORDPRESS_CLI=wordpress:cli-php7.3
 DB_NAME=staging_biuro

--- a/nginx/conf.d/server-shared.conf
+++ b/nginx/conf.d/server-shared.conf
@@ -24,7 +24,6 @@ location /wp-json/api/v1/contacts {
    try_files $uri $uri/ /index.php?$args;
    auth_basic "Basic auth";
    auth_basic_user_file /etc/nginx/.htpasswd;
-    # auth_basic_user_file /var/www/html/.htpasswd;
 }
 location /wp-json/api/v1/recommended {

--- a/nginx/h5bp/ssl/ocsp_stapling.conf
+++ b/nginx/h5bp/ssl/ocsp_stapling.conf
@@ -2,17 +2,34 @@
 # | Online Certificate Status Protocol stapling                        |
 # ----------------------------------------------------------------------
-# OCSP is a lightweight, only one record to help clients verify the
+# OCSP is a lightweight, only one record to help clients verify the validity of
-# validity of the server certificate.
+# the server certificate.
-# OCSP stapling allow the server to send its cached OCSP record during
+# OCSP stapling allows the server to send its cached OCSP record during the TLS
-# the TLS handshake, whithout the need of 3rd party OCSP responder.
+# handshake, without the need of 3rd party OCSP responder.
 #
 # https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
 # https://tools.ietf.org/html/rfc6066#section-8
 # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
+#
+# (1) Use Cloudflare 1.1.1.1 DNS resolver
+#     https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/
+#
+# (2) Use Google 8.8.8.8 DNS resolver
+#     https://developers.google.com/speed/public-dns/docs/using
+#
+# (3) Use OpenDNS resolver
+#     https://use.opendns.com
 ssl_stapling on;
 ssl_stapling_verify on;
-resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s;
+resolver
+  # (1)
+  1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
+  # (2)
+  8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]
+  # (3)
+  # 208.67.222.222 208.67.220.220 [2620:119:35::35] [2620:119:53::53]
+  valid=60s
+  ipv6=off;
 resolver_timeout 2s;
--- a/nginx/h5bp/ssl/policy_deprecated.conf
+++ b/nginx/h5bp/ssl/policy_deprecated.conf
@@ -22,7 +22,7 @@
 # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
 # https://nginx.org/en/docs/http/ngx_http_ssl_module.html
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
 ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;

--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -162,14 +162,15 @@ http {
    font/woff2                    "*";
  }
-  client_body_buffer_size 10M;
+  # client_body_buffer_size 10M;
  client_max_body_size 10M;
+  # proxy_max_temp_file_size: 0;
  # Include files in the conf.d folder.
  # server{} configuration files should be placed in the conf.d folder.
  # The configurations should be disabled by prefixing files with a dot.
-    include h5bp/ssl/ocsp_stapling.conf;
+    # include h5bp/ssl/ocsp_stapling.conf;
    # include h5bp/ssl/policy_modern.conf;
    # include h5bp/ssl/policy_deprecated.conf;
    include h5bp/ssl/policy_intermediate.conf;
@@ -177,42 +178,3 @@ http {
    include /etc/nginx/conf.d/staging-biuro.conf;
 }
-# user  nginx;
-# worker_processes  1;
-# error_log  /var/log/nginx/error.log warn;
-# pid        /var/run/nginx.pid;
-# events {
-#     worker_connections  1024;
-# }
-# http {
-#     include       /etc/nginx/mime.types;
-#     default_type  application/octet-stream;
-#     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-#                       '$status $body_bytes_sent "$http_referer" '
-#                       '"$http_user_agent" "$http_x_forwarded_for"';
-#     access_log  /var/log/nginx/access.log  main;
-#     sendfile        on;
-#     #tcp_nopush     on;
-#     keepalive_timeout  65;
-#     gzip  on;
-#     brotli on;
-#     ################################
-#     # DO WHATEVER YOU WANT HERE :) #
-#     ################################
-#     include /etc/nginx/conf.d/*.conf;
-# }