Learn about Centmin Mod LEMP Stack today
Register Now

SSL SSL Setup

Discussion in 'Domains, DNS, Email & SSL Certificates' started by dorobo, Sep 6, 2014.

Tags:
  1. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    8:08 PM
    latest
    latest
    This is my first time to try using SSL. I'm using wildcard certificate. According to sslcheck.globalsign.com

    I have an A rating but

    Sessions may be vulnerable to BEAST attack

    and

    Server has not enabled HTTP Strict-Transport-Security


    even though I have this line add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

    Here is my config

    Code:
    server {
      listen 108.x.x.x.x:443 ssl spdy;
      server_name mydomain.com www.mydomain.com;
            
            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
            add_header Alternate-Protocol  443:npn-spdy/3;
            ssl_certificate      /usr/local/nginx/conf/ssl/mydomaincom/ssl-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomaincom/ssl.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:10m;
            ssl_session_timeout  10m;
            ssl_prefer_server_ciphers   on;
            ssl_ciphers 'AES256+EECDH:AES256+EDH';
            #add_header  X-Content-Type-Options "nosniff";
            add_header X-Frame-Options DENY;
            # nginx 1.5.9+ or higher 
            # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp
            # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
            spdy_headers_comp 5;
            ssl_buffer_size 4k;
            ssl_session_tickets on;
    
            # enable ocsp stapling
            resolver 8.8.8.8;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomaincom/ssl-trusted.crt;
    My other question is do I need to set NOSOURCEOPENSSL to n and compile OPENSSL from source to make it work?

    I've been pulling my hair out.
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:08 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    are you testing HSTS against a web site with main page being index.html file ? If so you need to edit statfilesinc shortcut command's file (/usr/local/nginx/conf/staticfiles.conf) for html context and add the header there too and restart Nginx server

    within /usr/local/nginx/conf/staticfiles.conf
    Code:
        location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$ {
            gzip_static off;
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }
    
        location ~* \.(js)$ {
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }
    
        location ~* \.(css)$ {
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }
    
        location ~* \.(html|htm|txt)$ {
            #add_header Pragma public;
            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 1d;
            break;
            }
    
        location ~* \.(eot|svg|ttf|woff)$ {
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 30d;
            break;
            }
    
    For testing it's better to use Qualys SSL Labs - Projects / SSL Server Test as it's more up to date. Would help to know exactly the domain your testing and result url so we can see

    no need to touch those leave them to their defaults

    For beast, the set out cipher preferences I suggested is enough see Security Labs: Is BEAST Still a Threat? | Qualys Community it's the same ones recommended officially by Mozilla foundation

    Basically, RC4 security could be weaker and vulnerable and that it affects everyone and can not be mitigated while BEAST only affects a portion of users.
     
    Last edited: Sep 6, 2014
  3. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    8:08 PM
    latest
    latest
    Thanks George. Yes I'm currently testing it with index.html and this

    Code:
    location ~* \.(html|htm|txt)$ {
            #add_header Pragma public;
            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 1d;
            break;
            }
    did the trick. Will there be a conflict if this

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

    is included by default in /usr/local/nginx/conf/staticfiles.conf even if you're not going to use SSL?

    With regards to the cipher, I've now used what you posted here

    Nginx - Nginx ssl cipher suite | Centmin Mod Community

    Code:
    #cloudflare
        ssl_protocols   SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers     EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
    Is that the latest recommendation?

    Also I went ahead and updated openssl using

    Code:
    yum -y --enablerepo=axivo install openssl --disableplugin=priorities
    this is before you posted your reply to this thread

    Is that OK? Mine is now OpenSSL 1.0.1i

    The cloudflare rc4 patch in another thread, is that only for users of cloudflare's nameservers or for webmasters using SSL in general?
     
    Last edited: Sep 6, 2014
  4. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:08 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    recommended ciphers is listed at Nginx HTTPS / SSL Google SPDY configuration

    only use Nginx - Nginx ssl cipher suite | Centmin Mod Community if you did the patch for Cloudflare openssl kill RC4 patch outlined at Nginx - Nginx ssl cipher suite | Centmin Mod Community It's a general patch for OpenSSL itself.

    and yes html HSTS would cause conflicts if you have non-https SSL calling the /usr/local/nginx/conf/staticfiles.conf file. You can make a copy of /usr/local/nginx/conf/staticfiles.conf to use just for https SSL sites

    Code:
    cp -a /usr/local/nginx/conf/staticfiles.conf  /usr/local/nginx/conf/staticfiles_ssl.conf 
    include /usr/local/nginx/conf/staticfiles_ssl.conf in https SSL only Nginx vhosts
    Code:
    include /usr/local/nginx/conf/staticfiles_ssl.conf;
     
  5. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    8:08 PM
    latest
    latest
    Do we really need a dedicated IP to make this work?

    I tried it with my main IP (shared with other domains) at first and it said something like

    "443 failed (98: Address already in use"
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:08 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no dedicated ip needed.. that error means something else is already listening to port 443 with listen 443

    should work with either

    Code:
    listen 108.x.x.x.x:443 ssl spdy;
    or

    Code:
    listen 443 ssl spdy;
     
  7. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    8:08 PM
    latest
    latest
    Thanks George.

    Turns out openvpnas was running on 443.

    I'm such a noob.
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:08 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Glad to see you figured it out :)