From: Bill Erickson Date: Wed, 11 Jul 2018 16:27:05 +0000 (-0400) Subject: LP#1711145 NGINX sample config security improvements X-Git-Tag: osrf_rel_3_1_0-beta~14 X-Git-Url: http://git.equinoxoli.org/?p=opensrf-equinox.git;a=commitdiff_plain;h=3db305ba4329b4c93d16b03800755d5807de4de0 LP#1711145 NGINX sample config security improvements * Adds security recommendations from https://mozilla.github.io/server-side-tls/ssl-config-generator/ * Enables http2 * Apply a 5-minute proxy read timeout to avoid too-short timeouts on long API calls. * Adds a (commented) section on sending nginx logs to syslog Includes INSTALL notes on generating the dhparam file. Signed-off-by: Bill Erickson Signed-off-by: Galen Charlton --- diff --git a/README b/README index 5bbba0d..2abbc83 100644 --- a/README +++ b/README @@ -616,14 +616,22 @@ rm /etc/nginx/sites-enabled/default + 4. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location of the SSL certificate and private key. -5. Start NGINX +5. Generate a dhparam file in the directory specified in the nginx config. ++ +[source, bash] +--------------------------------------------------------------------------- +# Default config stores dhparam.pem in the Apache2 ssl directory. +openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048 +--------------------------------------------------------------------------- ++ +6. Start NGINX + [source, bash] --------------------------------------------------------------------------- /etc/init.d/nginx start --------------------------------------------------------------------------- + -6. If you didn't run `configure` with the `--with-websockets-port=443` option, +7. If you didn't run `configure` with the `--with-websockets-port=443` option, edit `/javascript/opensrf_ws.js` and `/javascript/opensrf_ws_shared.js` and change + diff --git a/examples/nginx/osrf-ws-http-proxy b/examples/nginx/osrf-ws-http-proxy index d079230..622e8ea 100644 --- a/examples/nginx/osrf-ws-http-proxy +++ b/examples/nginx/osrf-ws-http-proxy @@ -6,32 +6,60 @@ # # Assumes Apache is listening on HTTP=7080 and HTTPS=7443 +# Example sending nginx logs to syslog +# error_log syslog:server=unix:/dev/log,nohostname; +# access_log syslog:server=unix:/dev/log,severity=info,nohostname combined; + server { listen 80; + # For SSL-everywhere: + # server_name domain.example.org + # return 301 https://domain.example.org$request_uri; + location / { proxy_pass http://localhost:7080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300s; } } server { - listen 443; - ssl on; + listen 443 ssl http2; # Use the same SSL certificate as Apache. ssl_certificate /etc/apache2/ssl/server.crt; ssl_certificate_key /etc/apache2/ssl/server.key; + # ----------------------------------------------------------------- + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # generate with openssl dhparam -out dhparams.pem 2048 + ssl_dhparam /etc/apache2/ssl/dhparam.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + # Intermediate ciphers config / updated 2018-07-11 + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + ssl_prefer_server_ciphers on; + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + # ----------------------------------------------------------------- + location / { proxy_pass https://localhost:7443; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300s; } location /osrf-websocket-translator {