Want more timely Centmin Mod News Updates?
Become a Member

SSL SSL / SPDY questions

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by SneakyDave, Oct 22, 2014.

Tags:
  1. SneakyDave

    SneakyDave Member

    84
    14
    8
    Jul 24, 2014
    Ratings:
    +22
    Local Time:
    11:23 AM
    1.0.15
    Hello, I recently followed the instructions on getting SPDY configured on my site, following instructions here:
    Nginx HTTPS / SSL Google SPDY configuration

    I basically used the virtual site configuration listed on that page as a starting point for my own.
    I have SSL working, and there isn't anything wrong with the positivessl certificate.

    The SPDYCheck page says SPDY isn't enabled, and the SSL certiifcate check gives me an "A" grade, but says:
    1) Server has not enabled HTTP Strict-Transport-Security
    2) Server may have sent unnecessary certificates in the SSL/TLS negotiation
    3) Missing NPN Extension in SSL/TLS Handshake (but ssllabs.com says "Next Protocol Negotiation yes spdy/3.1 http/1.1" so I assume this is a mistake (?)


    Now, to address #2, it is probably because I concatenated all the .crt files together in the order of this:
    Code:
    cat mydomain.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
    
    I assume one of those isn't needed, but which one? I got those 4 certs delivered to me when the certificate was created.

    Now, as far as SPDY and the HSTS problem, I don't have any idea. My configuration seems to indicate that they should be enabled, but am I missing something somewhere?

    Also, I'm running on CloudFlare, using its "SSL (Strict)" option, which seems to be working as expected.

    I also checked the ocsp stapling feature with the openssl command, but it didn't return anything ocsp related, so I'm not sure what the dealio is with that, but I suspect everything is related. I assume that I use the same cert file for both ssl_certificate and the ssl_trusted_certificate directives?

    This is my virtualhost config.
    Code:
    server {
      server_name domain.com www.domain.com;
      return 301 https://$server_name$request_uri;
    }
    
    server {
    
      #CloudFlare IP's
      set_real_ip_from 199.27.128.0/21;
      set_real_ip_from 173.245.48.0/20;
      set_real_ip_from 103.21.244.0/22;
      set_real_ip_from 103.22.200.0/22;
      set_real_ip_from 103.31.4.0/22;
      set_real_ip_from 141.101.64.0/18;
      set_real_ip_from 108.162.192.0/18;
      set_real_ip_from 190.93.240.0/20;
      set_real_ip_from 188.114.96.0/20;
      set_real_ip_from 197.234.240.0/22;
      set_real_ip_from 198.41.128.0/17;
      set_real_ip_from 162.158.0.0/15;
      set_real_ip_from 104.16.0.0/12;
      set_real_ip_from 2400:cb00::/32;
      set_real_ip_from 2606:4700::/32;
      set_real_ip_from 2405:b500::/32;
      set_real_ip_from 2405:8100::/32;
      real_ip_header CF-Connecting-IP;
    
      listen 443 ssl spdy;
      server_name domain.com www.domain.com;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/ssl-bundle.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.key;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_session_cache      shared:SSL:10m;
      ssl_session_timeout  10m;
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      # nginx 1.5.9+ or higher
      # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp
      # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
      spdy_headers_comp 0;
      ssl_buffer_size 4k;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/ssl-bundle.crt;
    
      # ngx_pagespeed & ngx_pagespeed handler
      #include /usr/local/nginx/conf/pagespeed.conf;
      #include /usr/local/nginx/conf/pagespeedhandler.conf;
      #include /usr/local/nginx/conf/pagespeedstatslog.conf;
      # limit_conn limit_per_ip 16;
      # ssi  on;
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
    
      ## redirect https://www to https://non-www
      if ($host = 'www.domain.com') {
         return 302 https://$server_name$request_uri;
      }
    
      location / {
    
        # block common exploits, sql injections etc
        include /usr/local/nginx/conf/block.conf;
    
        # Enables directory listings when index file not found
        #autoindex  on;
    
        # Shows file listing times as local time
        #autoindex_localtime on;
        index index.php index.html index.htm;
        try_files $uri $uri/ /tester/index.php?$uri&$args;
    
      }
    
      location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
      }
    
      location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    }
    
    
    
     
    Last edited: Oct 22, 2014
  2. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. SneakyDave

    SneakyDave Member

    84
    14
    8
    Jul 24, 2014
    Ratings:
    +22
    Local Time:
    11:23 AM
    1.0.15
    Never mind, just realized that the post you refer to has the same Comodo certs I do (no pem file), so I'll follow that thread, thanks.

    [Edited worthless information, lol]
     
    Last edited: Oct 22, 2014
  4. SneakyDave

    SneakyDave Member

    84
    14
    8
    Jul 24, 2014
    Ratings:
    +22
    Local Time:
    11:23 AM
    1.0.15
    ok, so I got the trusted.crt and unified certs recreated and then running some web-based SSL tests, realized that CloudFlare can render a lot of tests invalid, or throw internal exceptions, so I temporarily turned that off. Maybe I don't even need it at this point.

    Anyway, I got almost all of my errors cleared up except for what you would think would be a simple one to resolve.


    SPDYCheck: Testing Websites for SPDY Support tells me that SPDY is enabled, but the the server is not using HSTS, but I have this distinctly coded in the nginx configuration:
    Code:
      ssl_certificate      /usr/local/nginx/conf/ssl/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/thedomain.key;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_session_cache      shared:SSL:10m;
      ssl_session_timeout  10m;
      ssl_ciphers [all the ciphers snipped];
      ssl_prefer_server_ciphers   on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
      spdy_headers_comp 0;
      ssl_buffer_size 4k;
    
    
    Probably not a big issue, in my opinion, but strange that it isn't working. Qualys SSL Labs tells me the same thing.

    But thanks for all the other information, things are certainly a lot 'speedier' with SSL nowadays.
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    2nd post above had solution for HSTS

    as to HSTS for static html files SSL - intermediate.crt root.pem missing?

    need to add HSTS to staticfile.conf for html and htm files if you're testing spdycheck against static html file
     
  6. SneakyDave

    SneakyDave Member

    84
    14
    8
    Jul 24, 2014
    Ratings:
    +22
    Local Time:
    11:23 AM
    1.0.15
    I realized the "second post" was referring to static files, and I didn't think I was using any, but I was wrong, as my xenforo installation isn't in root yet, so visiting the domain name would try to serve a static file, so that's probably the dealio with that.

    Thanks for driving the point home to my ignorance.

    Edit to say: Yep, that's exactly what it was. Didn't realize I was serving a static file at the domain root, needed to change the staticfiles.conf.
     
    Last edited: Oct 23, 2014
  7. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You're welcome :)
     
  8. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    12:23 AM
    1.9.5
    10.0.21
    By the way, for people using Comodo Positive SSL cert are confusing to know root or intermediate. Coz they do not have root.pem file according to centminmod manual
    I tried these commands with my domain and SSL/SPDY worked well:
    Code:
    openssl req -new -newkey rsa:4096 -sha256 -nodes -out yourdomainname_com.csr -keyout yourdomainname_com.key -subj "/C=US/ST=44/L=Chicago/O=Mike Plaza/OU=Marketing/CN=yourdomainname.com"
    cat yourdomainname_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bwhmssl-unified.crt
    cat COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > bwhmssl-trusted.crt
    
     
    Last edited: Oct 23, 2014
  9. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+