Get the most out of your Centmin Mod LEMP stack
Become a Member

Beta Branch update ssl_ciphers for nginx 1.11 dual ECDSA+RSA cert support

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 17, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    29,027
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    3:31 AM
    Nginx 1.13.x
    MariaDB 5.5
  2. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:31 PM
    1.13.x
    MariaDB 10.1.x
    I was thinking, might be good to have a gist or a thread here (which is locked and not buried in replies) which shows the updates to the default vhost. I need to change those in my existing vhost - I could create a new one to see the changes - but if there was one here that I could view I could just copy what I needed to update. Looking at github, since it's code, it doesn't have exactly what I need to copy / paste into my conf file.
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,027
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    3:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    Ah thanks for the reminder, i just updated the official site's nginx vhost generator with updated ssl_ciphers. Note the vhost structure is for 123.08stable not 123.09beta01 but the ssl_ciphers are the same :)

    Just check the self-signed ssl certificate box before generating a Centmin Mod Nginx vhost :D

    Enjoy :)

    https://centminmod.com/vhost.php

    or for this change at least

    Code (Text):
      # dual cert supported ssl ciphers
      ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    
     
    • Like Like x 1
  4. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:31 PM
    1.13.x
    MariaDB 10.1.x
    That works perfect. Never knew that page existed. (y)
     
  5. eva2000

    eva2000 Administrator Staff Member

    29,027
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    3:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah worthy browsing the official site a bit ;)
     
  6. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:31 PM
    1.13.x
    MariaDB 10.1.x
    I have most everything already bookmarked, didn't have that page. :(
     
    • Like Like x 1
  7. tjk

    tjk Member

    74
    16
    8
    Jun 27, 2015
    Ratings:
    +25
    Local Time:
    1:31 PM
    Per my other thread, I still think there should be a single vhost, and then an include if someone is doing ssl that will include ssl configs and updated via centmin mod, instead of trying to keep track of vhost changes.

    :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    29,027
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    3:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    As i said it will make letsencrypt free ssl integration much harder to do safely without forcing HTTPS on folks as opposed to making it only optional via a separate ssl nginx vhost. Then the end user can decide if the want a HTTP only or HTTPS only or HTTP +HTTPS site. Noob folks get very confused with nginx vhost syntax if you want them to edit a single vhost file with all the settings ss opposed to seeing side by side both nginx HTTP +HTTPS vhosts

    There is a ssl include file for some settings but not ssl ciphers as from past feedback folks may want their own ssl cipher preferences for their intended visitors' browsers and OS profiles and may want to customise them per site vhost for various reasons. I know I do this myself :)

    Though might be a new option @tjk for single ssl vhost via /usr/bin/nv Beta Branch - Add Nginx Vhost via SSH command line via nv.sh /usr/bin/nv | Centmin Mod Community :)
     
    Last edited: Jun 17, 2016
    • Like Like x 1
  9. tjk

    tjk Member

    74
    16
    8
    Jun 27, 2015
    Ratings:
    +25
    Local Time:
    1:31 PM
    @eva2000 this is a good compromise, when I create a vhost give me the option to only create an SSL one, and only 1 vhost file then, is that the plan?

    edit yes it is, nice!
     
  10. eva2000

    eva2000 Administrator Staff Member

    29,027
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    3:31 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes if you use /usr/bin/nv command line method and use -s yd flag in 123.09beta01 and higher
     
    Last edited: Jun 17, 2016
    • Like Like x 1