CategorySecurity

Sooooo Nginx and SSL configs

Sooooo Nginx and SSL configs

I use Nginx on my Linux servers mostly, but I noticed to get a reasonable rank out of out friends at [ssllabs.com/ssltest], you need to tweak a few things in the ol config files.

I am not going to go through the process of explaining how to get Nginx up and running as there are loads of good resources out there. Go on test your google-fu if you starting from scratch. You will need to have also gone over the basics from Let’s Encrypt

Ok so here goes …. you will see some references to Linux paths used by Let’s Encrypt.

Inside the Nginx server {} block we have the following settings to make that letter for SSL labs be a nice green color (maybe even an A+).

# the port your site will be served on
# 0.0.0.0 = all IPs on the server
listen      0.0.0.0:443  ssl;

# the domain name it will serve for
server_name REPLACE_ME_DOMAIN_NAME; # substitute your machine's IP address or FQDN

ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN_OR_SUB_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN_OR_SUB_DOMAIN/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;

# Tweak as needed
# Available protocols
ssl_protocols TLSv1.2;

# Available ciphers
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/YOUR_DOMAIN_OR_SUB_DOMAIN/chain.pem;

This is not a long explanation of each and every option, thats why there is documentation available and many much better written articles out there on those details.

I posted this here to simply give an example of a better than default config that helps secure your site a little more.

Sooooo SSL and this hosting provider

Sooooo SSL and this hosting provider

I am a fan of the idea of putting SSL all over the place.

But wait! This very site does not even have SSL or serve data over a secure channel.

Well here is my current problem. This particular hosting provider is somewhat behind the times. They do not support users setting up more than one SSL certificate and I host multiple sites with them. I guess I am left with a simple choice here really. Move to a new hosting provider or just accept that even this simple site login is insecure and open to being spied on or stolen.

I hear the skeptics saying “But with Let’s encrypt you can use Subject Alternative Names” and yes, this would solve the problem, but directly link all the sites I host on this server. I do not want to do this. I also know that its not difficult to find out this information, but I do not want to broadcast it with every connection.

I use Let’s Encrypt wherever I can as it is simple to use on just about any OS. I actively use it on my windows servers as well as my Linux servers. Both pretty easy to setup and get going.

 

I do find it disappointing, hhhmmmm, or maybe I have been spoilt with using AWS (Amazon Web Services) and the ease of doing certain things, but in this era of regular data breaches and peoples passwords “hitting the streets” I feel SSL should be offered free by all hosting providers. If not through the tools and control panels then at the very least enable the customers to easily set up and use Let’s Encrypt.

Sooooo strong passwords and apps that don’t help

Sooooo strong passwords and apps that don’t help

Sooooo today while rotating all my passwords I ran into something rather annoying.

Lets change our password shall we …

Ok then, off I go to generate a loverly complex password, and copy it from my password safe to change my password.

Oh wait, this site/application does not let you paste into the password field. Now why is that since they say that strong passwords are important and all that.

 

Ok so my silly logic slaps me in the face and complains.

You want to have a complex password that have everything in it and is 5 billion characters long, BUT you want me to type it twice. Well now, thats when my brain implodes and leaks out my ear as I simply stare at the application/web site.

 

Thanks to the developers of the application/website and the fact that clearly (to me at least) they don’t want passwords that are actually secure, but rather something you can type easily and remember. Hmmm doesn’t that immediately sound like a rather insecure password.

 

Well I could go to our friends at Dinopass.com or even simpler just use the super simple call to (load the URL) http://www.dinopass.com/password/strong but this is not the point at all. I am still left with having to type it multiple times.

 

So to conclude this rant, I would like to thank those applications and web sites for showing me that they actually don’t want my business (read money) and that I should be using there competitors products, which I am now doing.

%d bloggers like this: