Learn about Centmin Mod LEMP Stack today
Register Now

Beta Branch add tools/switch-nginx-ciphers.sh control Nginx HTTPS Vhost configuration

Discussion in 'Beta release code' started by eva2000, May 11, 2021.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:55 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks to @Mr. Jinx reminder, Centmin Mod 123.09beta01's default Nginx HTTPS settings need updating to more secure configuration as outlined by Mozilla's intermediate SSL configuration recommendations. I've added a new tools/switch-nginx-ciphers.sh script to prepare folks who want to switch/revert to the new recommendations before official 123.09beta01's Nginx HTTPS templates get updated later on.

    You can switch to the new intermediate Nginx HTTPS recommendations on a per Nginx vhost basis by passing the Nginx vhost's HTTPS/SSL confg file on command line option for intermediate
    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/test.com.ssl.conf

    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    
    switched off: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   off;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
    Reloading nginx configuration (via systemctl):             [  OK  ]
    

    You can also switch back to previous defaults using old-default option and pass Nginx HTTPS vhost config file path
    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh old-default /usr/local/nginx/conf/conf.d/test.com.ssl.conf

    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh old-default /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    
    switched on: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   on;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    
    Reloading nginx configuration (via systemctl):             [  OK  ]
    

    Or you can use the equivalent bulk commands to switch all Nginx HTTPS vhosts to intermediate or old-default settings.

    Intermediate
    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate-bulk

    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate-bulk
    
    ------------------------------------------
    switch /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    ------------------------------------------
    
    switched off: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   off;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
    ------------------------------------------
    switch /usr/local/nginx/conf/conf.d/test2.com.ssl.conf
    ------------------------------------------
    
    switched off: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   off;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test2.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    

    Old default
    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh old-default-bulk

    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh old-default-bulk
    
    ------------------------------------------
    switch /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    ------------------------------------------
    
    switched on: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   on;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    
    ------------------------------------------
    switch /usr/local/nginx/conf/conf.d/test2.com.ssl.conf
    ------------------------------------------
    
    switched on: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   on;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test2.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    


     
Thread Status:
Not open for further replies.