Alright, so it took some tooling around and a better understanding of Nginx, my web server application, but I got some issues sorted out. I was getting frustrated that running my site through Qualys’ excellent SSL Labs tool kept showing that I still supported SSLv3, despite removing that from my SSL information in my server blocks. Possibly due to some of my redirection shenanigans, some ways a user might probe my site after setting up ssl still resulted in offering SSLv3 services. Ultimately, what worked was to go up a level: to the
/etc/nginx/nginx.conf configuration file. Essentially, what Nginx is doing is running that configuration file and nested within its
http block is an include for
/etc/nginx/sites-enabled/*, which essentially just dumps all of your
server blocks in there.
Game changer. After hours of research, I simply moved all of my SSL info up into my
http block in the main configuration file. Additionally, since there’s no such thing as bad research, I did some more reading on server security and came up with some extra layers of awesomeness. First thing I did was beef up the cipher usage with a strong preference towards Forward Secrecy and Ephemeral Diffie-Hellman. To do so effectively, however, I needed to generate a stronger Diffie-Hellman parameter by typing the following:
This dumped a new certificate file in with the rest of the certificates the site is referencing. Why is this necessary? Because good encryption starts with big prime numbers.
Next, I told Nginx to look for by adding the following to our
Next, I wanted to add OCSP (Online Certification Status Protocol) Stapling and prevent potential denial-of-service attacks by offering clients a cached copy of my OCSP response in lieu of going to a third party. That was as simple as adding the following:
1 2 3 4
Finally, I implemented HSTS (HTTP Strict Transport Security), which instructs browsers to only communicate with the server via HTTPS. Given the 301 redirects I’m always employing in my configuration, this is redundant, but it’s a better practice.
1 2 3
Taken together, this is what I’ve got:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
… and the results are positive! Now the site has an A+ and has never been more secure. Special thanks to Remy van Elst and his excellent primer on secure Nginx configuration.