Difference between revisions of "WebServer SSL"
(Created page with "== Securing Nginx or Tengine with OpenSSL == === Getting Started === OK, you've got your SSL certificate and you have tengine or nginx setup, but you need it secure. After all...") |
|||
| Line 9: | Line 9: | ||
<pre> | <pre> | ||
#- Not sure if both lines needed, but it works | #- Not sure if both lines needed, but it works | ||
listen | listen [::]:443 ssl; | ||
listen | listen 443 ssl; | ||
#- Support current SSL standards and options only | #- Support current SSL standards and options only | ||
| Line 16: | Line 16: | ||
ssl_session_timeout 10m; | ssl_session_timeout 10m; | ||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
ssl_prefer_server_ciphers | ssl_prefer_server_ciphers on; | ||
ssl_ciphers | ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | ||
ssl_session_tickets | ssl_session_tickets off; | ||
ssl_stapling | ssl_stapling on; | ||
ssl_stapling_verify on; | ssl_stapling_verify on; | ||
| Line 27: | Line 27: | ||
add_header X-Content-Type-Options nosniff; | add_header X-Content-Type-Options nosniff; | ||
</pre> | </pre> | ||
Comment out the Strict-Transport-Security if you want to have part of your site as non-SSL. Not recommended! | |||
=== Attach Certs To Your Site === | === Attach Certs To Your Site === | ||
Go to your /etc/tengine/sites-available/ directory and add the following to your first SSL site. | Go to your /etc/tengine/sites-available/ directory and add the following to your first SSL site. | ||
<pre> | <pre> | ||
include | include /etc/tengine/ssl.conf; | ||
ssl_dhparam | ssl_dhparam /etc/ssl/tengine/dhparam4096; | ||
ssl_trusted_certificate | ssl_trusted_certificate /etc/ssl/tengine/startssl_trust_chain.crt; | ||
ssl_certificate /etc/ssl/tengine/ssl-unified.crt; | ssl_certificate /etc/ssl/tengine/ssl-unified.crt; | ||
ssl_certificate_key /etc/ssl/tengine/ssl.key; | ssl_certificate_key /etc/ssl/tengine/ssl.key; | ||
| Line 62: | Line 63: | ||
{{console|body=chmod 0600 /etc/ssl/tengine/*}} | {{console|body=chmod 0600 /etc/ssl/tengine/*}} | ||
Delete originals, clean up, then restart tengine. Repeat the above for each SSL site, giving descriptive names to your output files. | Delete originals, clean up, then restart tengine. Repeat the above for each SSL site, giving descriptive names to your output files. | ||
=== Further Reading === | |||
* https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |||
Revision as of 06:35, July 9, 2015
Securing Nginx or Tengine with OpenSSL
Getting Started
OK, you've got your SSL certificate and you have tengine or nginx setup, but you need it secure. After all, you've heard of all the recent DH attacks, BEAST, CRIME, FREAK, Heartbleed and others, right? Is your system already secure? Test it! Check out SSL Labs Test Site. I'm getting an A+ rating! The following assumes Package:Tengine, but Package:Nginx is exactly the same, just s/tengine/nginx/g;
If you don't know what Package:OpenSSL is, just click the link. Need a certificate? OK - I highly recommend [1]. It's FREE! These guys will step you through the process by following the instructions on their site. If you have problems, the tech support via email is instantaneous and incredibly professional. My cert was the free variety, but if I ever upgrade, I will go to them because the support (to a non-paying customer no less) was so good.
/etc/tengine/ssl.conf
I recommend you put all your SSL configuration into a single file so that you can update it as security issues arise. This way, if you have multiple sites, they can all include the same file and you don't need to try and maintain the information for each site separately.
#- Not sure if both lines needed, but it works listen [::]:443 ssl; listen 443 ssl; #- Support current SSL standards and options only ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; #- And some security related headers add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;
Comment out the Strict-Transport-Security if you want to have part of your site as non-SSL. Not recommended!
Attach Certs To Your Site
Go to your /etc/tengine/sites-available/ directory and add the following to your first SSL site.
include /etc/tengine/ssl.conf; ssl_dhparam /etc/ssl/tengine/dhparam4096; ssl_trusted_certificate /etc/ssl/tengine/startssl_trust_chain.crt; ssl_certificate /etc/ssl/tengine/ssl-unified.crt; ssl_certificate_key /etc/ssl/tengine/ssl.key;
If you purchased a certificate that work for multiple domains, then these can be the same files for all your sites and you can toss those lines in the above ssl.conf. In most cases, you will likely have different ssl certificates for different sites and you will likely want to name the files accordingly.
Building SSL Files
Now, there are 4 files here for SSL in addition to the one we just included. Let's look at where they come from.
First, you should have a certificate file (ssl.crt in the following), and a key for that file (private_ssl.key). The header will determine which is which if you named them funny. Filenames aren't important. Open the file with vi and look for the text at the top between '-----' symbols, starting with BEGIN. If you use less, you won't see the header as less will attempt to decode the certificate to show you in the information in it.
- CERTFICATE This is a certificate
- RSA PRIVATE KEY This is your key!
If your KEY has a line that says ENCRYPTED, it's password protected. Since you probably don't want to issue a password every time you start your server, let's fix that first.
openssl rsa -in private_ssl.key -out /etc/ssl/tengine/ssl.key
Easy enough? And we have one of our files done. Only 3 to go!
The next is to create a chain of certificates back to the root. For StartSSL, you download their cert:
wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
Then make the file you need with your cert and theirs. Here's your next 2 files!
cat ssl.crt sub.class1.server.sha2.ca.pem > /etc/ssl/tengine/ssl-unified.crt cp sub.class1.server.sha2.ca.pem /etc/ssl/tengine/startssl_trust_chain.crt
Now, the final command for the final file:
openssl dhparam -out /etc/ssl/tengine/dhparam4096 4096
4096 might be overkill, but 1024 is the minimum and you might as well go all out just in case 1024 gets broken next month!
Be sure all these files are secure!
chmod 0600 /etc/ssl/tengine/*
Delete originals, clean up, then restart tengine. Repeat the above for each SSL site, giving descriptive names to your output files.