Learn about Centmin Mod LEMP Stack today
Register Now

Master Branch add tools/switch-nginx-ciphers.sh in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 13, 2021.

  1. eva2000

    eva2000 Administrator Staff Member

    48,519
    11,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,306
    Local Time:
    5:17 AM
    Nginx 1.21.x
    MariaDB 10.x
    add tools/switch-nginx-ciphers.sh in 123.09beta01

    - add new tools/switch-nginx-ciphers.sh script in preparation of updating 123.09beta01 and higher Nginx default HTTPS configuration to stronger intermediate Mozilla recommendations outlined at https://ssl-config.mozilla.org/#server=nginx&version=1.20.0&config=intermediate&openssl=1.1.1&guideline=5.6 for the following directives: ssl_ciphers, ssl_prefer_server_ciphers, ssl_session_tickets and ssl_dhparam to use ffdhe3072 recommended version. There is no need to modifying ssl_protocols directive as ssl_ciphers chosen will ultimately determine which ssl_protocols are available. When ssl_ciphers switch to Mozilla intermediate recommendations, only TLSv1.2 and TLSv1.3 are supported.
    - Future 123.09beta01 update with switch to default Mozilla intermediate recommendations. For now the new tools/switch-nginx-ciphers.sh script will allow folks to do that on a per vhost basis or in bulk for all Nginx HTTPS vhosts before the subsequent updates and/or also allow folks to switch between Mozilla intermediate recommendations or switch back to previous Centmin Mod 'old-defaults' to expand ssl_ciphers to support deprecated TLSv1.0 and TLSv1.1 as well as TLSv1.2 and TLSv1.3
    - new tool also has inbuilt testssl.sh support https://github.com/drwetter/testssl.sh via testssl command option

    Usage options available for switch-nginx-ciphers.sh

    ./switch-nginx-ciphers.sh

    Usage:

    ./switch-nginx-ciphers.sh intermediate-bulk
    ./switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    ./switch-nginx-ciphers.sh old-default-bulk
    ./switch-nginx-ciphers.sh old-default /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    ./switch-nginx-ciphers.sh testssl domain.com:443

    Continue reading...


    Centmin Mod Github Master branch

    Master branch is where most recent commits are made as at May 24, 2015.
     
  2. happyhacking

    happyhacking Member

    38
    9
    8
    Apr 23, 2021
    Ratings:
    +21
    Local Time:
    2:17 PM
    1.19.10
    MariadDB 10.4.18
    Not a Bug but a Vote :stop: asking politely to add the "Modern" option suggested by Mozilla to the script:
    Code:
    Mozilla Configuration:
    Modern
    Services with clients that support TLS 1.3 and don't need backward compatibility
    
    # generated 2022-05-13, Mozilla Guideline v5.6, nginx 1.20.0, OpenSSL 1.1.1, modern configuration
    # https://ssl-config.mozilla.org/#server=nginx&version=1.20.0&config=modern&openssl=1.1.1&guideline=5.6
    server {
       listen 80 default_server;
       listen [::]:80 default_server;
    
       location / {
           return 301 https://$host$request_uri;
       }
    }
    
    server {
       listen 443 ssl http2;
       listen [::]:443 ssl http2;
    
       ssl_certificate /path/to/signed_cert_plus_intermediates;
       ssl_certificate_key /path/to/private_key;
       ssl_session_timeout 1d;
       ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
       ssl_session_tickets off;
    
       # modern configuration
       ssl_protocols TLSv1.3;
       ssl_prefer_server_ciphers off;
    
       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
       add_header Strict-Transport-Security "max-age=63072000" always;
    
       # OCSP stapling
       ssl_stapling on;
       ssl_stapling_verify on;
    
       # verify chain of trust of OCSP response using Root CA and Intermediate certs
       ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    
       # replace with the IP address of your resolver
       resolver 127.0.0.1;
    }