Example nginx site file should be made more secure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenSRF |
Fix Released
|
Medium
|
Unassigned | ||
2.5 |
Fix Committed
|
Medium
|
Unassigned | ||
3.0 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
OpenSRF 2.5.0 includes an example nginx site configuration file that allows for proxying as described in the README. As we have learned in our testing, the default SSL setup leaves us open to the "Logjam" attack because of weak Diffie-Hellman key exchange parameters (see https:/
My initial suggestion is to add the suggested configuration from the NGINX section of https:/
(I'll mention that this issue was discovered using the SSL checking site at https:/
Changed in opensrf: | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in opensrf: | |
milestone: | none → 3.1-beta |
Changed in opensrf: | |
status: | Fix Committed → Fix Released |
Right, here's what we're currently using on Ubuntu 16.04 - a combination of what SSLabs suggested and Mozilla's config generator suggested. The comments might be useful for, for example, generating the dhparams (useful for external docs as well as inside our example config file):
listen 443 ssl http2; # managed by Certbot t/live/ boreal- test.concat. ca/fullchain. pem; # managed by Certbot e_key /etc/letsencryp t/live/ boreal- test.concat. ca/privkey. pem; # managed by Certbot t/options- ssl-nginx. conf; # managed by Certbot ssl/server. crt; ssl/server. key;
#ssl_certificate /etc/letsencryp
#ssl_certificat
#include /etc/letsencryp
ssl_certificate /etc/apache2/
ssl_certificate_key /etc/apache2/
if ($scheme != "https") { /$host$ request_ uri;
return 301 https:/
} # managed by Certbot
# generate with openssl dhparam -out dhparams.pem 2048 dhparams. pem;
ssl_dhparam /etc/apache2/
# From https:/ /mozilla. github. io/server- side-tls/ ssl-config- generator/ server_ ciphers on;
ssl_prefer_
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# intermediate configuration. tweak to your needs. ECDSA-CHACHA20- POLY1305: ECDHE-RSA- CHACHA20- POLY1305: ECDHE-ECDSA- AES128- GCM-SHA256: ECDHE-RSA- AES128- GCM-SHA256: ECDHE-ECDSA- AES256- GCM-SHA384: ECDHE-RSA- AES256- GCM-SHA384: DHE-RSA- AES128- GCM-SHA256: DHE-RSA- AES256- GCM-SHA384: ECDHE-ECDSA- AES128- SHA256: ECDHE-RSA- AES128- SHA256: ECDHE-ECDSA- AES128- SHA:ECDHE- RSA-AES256- SHA384: ECDHE-RSA- AES128- SHA:ECDHE- ECDSA-AES256- SHA384: ECDHE-ECDSA- AES256- SHA:ECDHE- RSA-AES256- SHA:DHE- RSA-AES128- SHA256: DHE-RSA- AES128- SHA:DHE- RSA-AES256- SHA256: DHE-RSA- AES256- SHA:ECDHE- ECDSA-DES- CBC3-SHA: ECDHE-RSA- DES-CBC3- SHA:EDH- RSA-DES- CBC3-SHA: AES128- GCM-SHA256: AES256- GCM-SHA384: AES128- SHA256: AES256- SHA256: AES128- SHA:AES256- SHA:DES- CBC3-SHA: !DSS';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-
# HSTS (ngx_http_ headers_ module is required) (15768000 seconds = 6 months) Transport- Security max-age=15768000;
add_header Strict-
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;