From c44846103e76d6216db2adae436d522ba173a0b3 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Wed, 20 May 2015 16:31:00 -0400 Subject: [PATCH 1/7] nginx: enable Strict Transport Security --- conf/nginx.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 77a78f70e..8375febd0 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -10,8 +10,9 @@ http { server { include server-base.conf; - listen 443 default; + add_header Strict-Transport-Security "max-age=63072000; preload"; + listen 443 default; ssl on; ssl_certificate ./stack/ssl.cert; ssl_certificate_key ./stack/ssl.key; @@ -25,8 +26,9 @@ http { include proxy-protocol.conf; include server-base.conf; - listen 8443 default proxy_protocol; + add_header Strict-Transport-Security "max-age=63072000; preload"; + listen 8443 default proxy_protocol; ssl on; ssl_certificate ./stack/ssl.cert; ssl_certificate_key ./stack/ssl.key; From 4689c00fad979c89554eb58af078da47f924c9b6 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Wed, 20 May 2015 16:31:32 -0400 Subject: [PATCH 2/7] nginx: drop SSLv3, support TLS 1.1 & 1.2 --- conf/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 8375febd0..9e3aead80 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -17,7 +17,7 @@ http { ssl_certificate ./stack/ssl.cert; ssl_certificate_key ./stack/ssl.key; ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; } @@ -33,7 +33,7 @@ http { ssl_certificate ./stack/ssl.cert; ssl_certificate_key ./stack/ssl.key; ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; } From 60763d69b1634808e9a7f58e479607f37d73f0db Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Wed, 20 May 2015 16:32:12 -0400 Subject: [PATCH 3/7] nginx: support OCSP Stapling --- conf/nginx.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/conf/nginx.conf b/conf/nginx.conf index 9e3aead80..f04ed663c 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -16,6 +16,8 @@ http { ssl on; ssl_certificate ./stack/ssl.cert; ssl_certificate_key ./stack/ssl.key; + ssl_stapling on; + ssl_stapling_verify on; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; @@ -32,6 +34,8 @@ http { ssl on; ssl_certificate ./stack/ssl.cert; ssl_certificate_key ./stack/ssl.key; + ssl_stapling on; + ssl_stapling_verify on; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; From f9f933feffd7f2731270a7893d923321f8a4faa5 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Fri, 22 May 2015 13:35:49 -0400 Subject: [PATCH 4/7] nginx: update cipher suite, HSTS, X-Frame-Options --- conf/nginx.conf | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index f04ed663c..ca872b224 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -10,35 +10,49 @@ http { server { include server-base.conf; - add_header Strict-Transport-Security "max-age=63072000; preload"; - listen 443 default; + ssl on; ssl_certificate ./stack/ssl.cert; ssl_certificate_key ./stack/ssl.key; + + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + ssl_stapling on; ssl_stapling_verify on; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=63072000; preload"; + add_header X-Frame-Options DENY; } server { include proxy-protocol.conf; include server-base.conf; - add_header Strict-Transport-Security "max-age=63072000; preload"; - listen 8443 default proxy_protocol; + ssl on; ssl_certificate ./stack/ssl.cert; ssl_certificate_key ./stack/ssl.key; + + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + ssl_stapling on; ssl_stapling_verify on; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=63072000; preload"; + add_header X-Frame-Options DENY; } } From 4323eb58da9f0f750ff814513745c0e853e46680 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Fri, 22 May 2015 13:54:43 -0400 Subject: [PATCH 5/7] nginx: SSL config into server-base.conf --- conf/nginx.conf | 30 ++---------------------------- conf/server-base.conf | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 28 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index ca872b224..860ddae51 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -13,22 +13,9 @@ http { listen 443 default; ssl on; - ssl_certificate ./stack/ssl.cert; - ssl_certificate_key ./stack/ssl.key; - - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 5m; - - ssl_stapling on; - ssl_stapling_verify on; - - ssl_prefer_server_ciphers on; + # This header must be set only for HTTPS add_header Strict-Transport-Security "max-age=63072000; preload"; - add_header X-Frame-Options DENY; } server { @@ -38,21 +25,8 @@ http { listen 8443 default proxy_protocol; ssl on; - ssl_certificate ./stack/ssl.cert; - ssl_certificate_key ./stack/ssl.key; - - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 5m; - - ssl_stapling on; - ssl_stapling_verify on; - - ssl_prefer_server_ciphers on; + # This header must be set only for HTTPS add_header Strict-Transport-Security "max-age=63072000; preload"; - add_header X-Frame-Options DENY; } } diff --git a/conf/server-base.conf b/conf/server-base.conf index 3853fbccf..1ff261e6b 100644 --- a/conf/server-base.conf +++ b/conf/server-base.conf @@ -8,6 +8,20 @@ if ($args ~ "_escaped_fragment_") { rewrite ^ /snapshot$uri; } +# SSL +ssl_certificate ./stack/ssl.cert; +ssl_certificate_key ./stack/ssl.key; +ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 5m; +ssl_stapling on; +ssl_stapling_verify on; +ssl_prefer_server_ciphers on; +add_header X-Frame-Options DENY; + + +# Proxy Headers proxy_set_header X-Forwarded-For $proper_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; From 2a25864061c1277f82d63fb4b0e472b847a8d619 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Fri, 22 May 2015 16:09:11 -0400 Subject: [PATCH 6/7] setup-tool: add HSTS info box --- static/directives/config/config-setup-tool.html | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/static/directives/config/config-setup-tool.html b/static/directives/config/config-setup-tool.html index 7c2fa2e19..978be4c74 100644 --- a/static/directives/config/config-setup-tool.html +++ b/static/directives/config/config-setup-tool.html @@ -98,6 +98,11 @@ A valid SSL certificate and private key files are required to use this option. +
+ Enabling SSL also enables HTTP Strict Transport Security.
+ This prevents downgrade attacks and cookie theft, but browsers will reject all future insecure connections on this hostname. +
+ @@ -835,4 +840,4 @@ - \ No newline at end of file + From 581d2fa4fcc36d3ebeb0e80e2c4b0d8dd4917092 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Fri, 22 May 2015 16:25:28 -0400 Subject: [PATCH 7/7] nginx: move ssl config out of server-base --- conf/nginx.conf | 11 +++++++++++ conf/server-base.conf | 11 +---------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 860ddae51..5e49b1977 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -7,6 +7,16 @@ http { include hosted-http-base.conf; include rate-limiting.conf; + ssl_certificate ./stack/ssl.cert; + ssl_certificate_key ./stack/ssl.key; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + ssl_prefer_server_ciphers on; + server { include server-base.conf; @@ -16,6 +26,7 @@ http { # This header must be set only for HTTPS add_header Strict-Transport-Security "max-age=63072000; preload"; + } server { diff --git a/conf/server-base.conf b/conf/server-base.conf index 1ff261e6b..bfa6c012f 100644 --- a/conf/server-base.conf +++ b/conf/server-base.conf @@ -8,16 +8,7 @@ if ($args ~ "_escaped_fragment_") { rewrite ^ /snapshot$uri; } -# SSL -ssl_certificate ./stack/ssl.cert; -ssl_certificate_key ./stack/ssl.key; -ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_session_cache shared:SSL:10m; -ssl_session_timeout 5m; -ssl_stapling on; -ssl_stapling_verify on; -ssl_prefer_server_ciphers on; +# Disable the ability to be embedded into iframes add_header X-Frame-Options DENY;
Certificate: