Nginx: Unterschied zwischen den Versionen
Cbs (Diskussion | Beiträge) |
Cbs (Diskussion | Beiträge) |
||
Zeile 44: | Zeile 44: | ||
=== hardening SSL === | === hardening SSL === | ||
− | post snowden ssl-hardening: | + | post snowden ssl-hardening |
+ | |||
+ | |||
+ | ==== ciphers ==== | ||
+ | |||
+ | please be aware of vulnerabilities in encryption protocols and ciphers: | ||
ssl_prefer_server_ciphers On; | ssl_prefer_server_ciphers On; | ||
− | ssl_protocols TLSv1 TLSv1.1 TLSv1.2 | + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
− | ssl_ciphers | + | ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; |
− | === | + | ==== Key Pinning ==== |
− | + | extract Base64 encoded hash for pinning: | |
− | + | ||
− | + | openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 | |
− | + | openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 | |
+ | openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 | ||
− | === HSTS === | + | openssl s_client -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | \ |
+ | openssl enc -base64 | ||
+ | |||
+ | add to your server config: | ||
+ | |||
+ | add_header Public-Key-Pins 'pin-sha256="/6Q+2zQb+oBanHld5PQq6bjlO1/MIjiPBxQVuYJGjmM="; pin-sha256="7DRbL0z6zyAj3Qq3PoHATgwyNYkdMzTn54UpPWcv3CI="; pin-sha256="Y9gcAXAbTSTmeespRJZfTip9Ozthg40scR2Xkj2vXh0="; max-age=5184000'; | ||
+ | add_header Strict-Transport-Security "max-age=15768000; preload"; | ||
+ | |||
+ | {{Achtung|Be aware of the fact that you should really(!!!) create a Key for the actual production cert <br/>and a backup Key which you should publish the hash of! If your Primary key gets compromised or is over the valid date, use your backup key to create a new CSR and the PIN is already published <br/>Esle you will lock out visitors who have saved the pinned old key for as log as you set max-age}} | ||
+ | |||
+ | |||
+ | |||
+ | ==== HSTS ==== | ||
HTTP Strict Transport Security. <br/> | HTTP Strict Transport Security. <br/> | ||
Zeile 73: | Zeile 90: | ||
[...] | [...] | ||
} | } | ||
+ | |||
+ | |||
+ | === PFS === | ||
+ | |||
+ | cd /path/to/your/certs/ | ||
+ | openssl dhparam -out dhparam.pem 2048 | ||
+ | |||
+ | and edit nginx config: | ||
+ | |||
+ | ssl_dhparam /path/to/your/certs/dhparam.pem; | ||
Aktuelle Version vom 29. November 2016, 08:00 Uhr
some nginx hints
Inhaltsverzeichnis
Logging stuff
logformat
i'm using nearly standard apache log-format, but prefixed with
the serving virtual-host in front...
log_format vhost '$server_name $remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
so, by stripping the vhost in the 1st field of a logline, you may simply use std. log-parsers
for logfile analysis...
activate using this log-format by:
access_log /var/log/nginx/access.log vhost;
enable rewrite-log
to turn on rewrite-log you will have to put these 2 statements:
server { [...] rewrite_log on; error_log /var/log/nginx/error.log notice; [...] }
be sure to set the 'notice' behind the error-logfile because
rewrites are logged to error-logfile with 'notice' level...
SSL stuff
hardening SSL
post snowden ssl-hardening
ciphers
please be aware of vulnerabilities in encryption protocols and ciphers:
ssl_prefer_server_ciphers On; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
Key Pinning
extract Base64 encoded hash for pinning:
openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
openssl s_client -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | \ openssl enc -base64
add to your server config:
add_header Public-Key-Pins 'pin-sha256="/6Q+2zQb+oBanHld5PQq6bjlO1/MIjiPBxQVuYJGjmM="; pin-sha256="7DRbL0z6zyAj3Qq3PoHATgwyNYkdMzTn54UpPWcv3CI="; pin-sha256="Y9gcAXAbTSTmeespRJZfTip9Ozthg40scR2Xkj2vXh0="; max-age=5184000'; add_header Strict-Transport-Security "max-age=15768000; preload";
HSTS
HTTP Strict Transport Security.
if possible run https ONLY pages...
in post-snowden age this should be done... so add to your port-80-vhost:
server { [...] add_header Strict-Transport-Security max-age=15768000; return 301 https://www.traumartig.de$request_uri; [...] }
PFS
cd /path/to/your/certs/ openssl dhparam -out dhparam.pem 2048
and edit nginx config:
ssl_dhparam /path/to/your/certs/dhparam.pem;
SSL test
test you ssl-implementation here: