i installed my SSL to my website ( Nginx , SSL ) . After SSL my website is too slow.
I could not find solution but it's related with ssl.
In same droplet i have 3 apps. 1 php ( laravel ) , 2 ruby ( ruby on rails )apps. But just one of them has SSL.
Conf file for my website with SSL :
server {
listen 443 ssl;
server_name www.guclukal.com;
passenger_enabled on;
rails_env production;
root /home/rails/trbodybuilding/public;
ssl on;
ssl_certificate /etc/nginx/ssl/guclukal.com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/guclukal.com/guclukal.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
I use this steps to create SSL :
1.mkdir /etc/nginx/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout guclukal.key -out guclukal.csr
i paste guclukal.csr to ssls.com to get files
cat guclukal_com.crt guclukal_com.ca-bundle > guclukal.crt to create crt file
than i made my nginx conf file .
Related
My nginx confid files looks like:
server {
listen 80;
listen [::]:80;
server_name hostserver.ru www.hostserver.ru;
return 301 https://hostserver.ru$request_uri;
server_tokens off;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hostserver.ru www.hostserver.ru;
ssl_certificate /etc/letsencrypt/live/hostserver.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hostserver.ru/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_stapling on;
ssl_stapling_verify on;
root /var/www/html;
index index.html index.htm;
server_tokens off;
... some location stuff...
}
Ufortunatelly, TLS1.2 not supported by Android 4.0-4.3 and I've chanched config:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
But after using SSLTest it shows me report that TLS1 and TLS1.1 are not supported.
Did I missed smth to change in config files?
Thanks in advance.
UPDATE: I've checked certificates by command:
openssl s_client -tls1 (and so on) -connect example.org:443 < /dev/null
and certificate enabled for each protocol.
I don't know which ciphers work with TLSv1 and TLSv1.1. But I notice from testing sites with SSLTest, that the GCM ciphers are listed against TLSv1.2 only.
You may need to use a more inclusive list of ciphers.
For example:
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
This was working prior to nginx/1.11.4 and update to Ubuntu 16.04 (and it was on 1.11.x before). There are two sites configured to use SSL on a virtual IP (libvirt). When that didn't work (somehow it always landed on the first config alphabetically with SSL), I changed it to use two different virtual IPs and changed libvirt routing two real IPs to 192.168.122.10 and the other to 192.168.122.11, respectively. Now it's simply giving a handshake failure.
server {
listen 192.168.122.11:443 ssl http2;
server_name www.domain2.org domain2.org;
access_log /var/log/nginx/domains/domain2.org.log;
error_log /var/log/nginx/domains/domain2.org.err;
root /app/domain2.org/html;
ssl on;
ssl_certificate /etc/nginx/ssl/domain2.org.crt;
ssl_certificate_key /etc/nginx/ssl/domain2.org.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
include /etc/nginx/include/php.conf;
include /etc/nginx/include/restrictions.conf;
}
server {
listen 192.168.122.10:443 ssl http2;
server_name domain1.com www.domain1.com *.domain1.com;
access_log /var/log/nginx/domains/domain1.com.log;
error_log /var/log/nginx/domains/domain1.com.err;
root /app/domain1.com/html;
ssl_certificate /etc/nginx/ssl/domain1.cert;
ssl_certificate_key /etc/nginx/ssl/domain1.pkey;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
include /etc/nginx/include/restrictions.conf;
include /etc/nginx/include/php.conf;
}
This is just the standard nginx from nginx.org packaging, and yes it has SNI. I have no idea why this would suddenly stop working.
root#production:/etc/nginx/conf.d# nginx -V
nginx version: nginx/1.11.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2g-fips 1 Mar 2016 (running with OpenSSL 1.0.2g 1 Mar 2016)
TLS SNI support enabled
After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com
I'm getting Handshake fail 525 when trying to use Full SSL option with Cloudflare. Since this is my first time trying to implement some sort of SSL certificate I don't know what could be wrong here.
My SSL cert is generated this way:
sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt
My nginx default config looks like this:
server {
listen 443;
listen [::]:443;
root /var/www/site-laravel/public;
index index.php index.html index.htm;
server_name site.ee;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
}
Make sure you select full SSL in CloudFlare, but no "Full (Strict)". Strict mode requires a validated SSL certificate and does not work with a self-signed one.
I faced a similar issue recently. I'm not entirely sure why this occurs either, but make sure your default_server has an SSL certificate set.
ssl should be added.
server {
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/site-laravel/public;
index index.php index.html index.htm;
server_name site.ee;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
}
I'm currently in the process of migrating the hosting of a service of mine from a Managed hosting (running Lighspeed + Cpanel) to my own Managed hosting, running Nginx.
Everything is running fine in Nginx 1.6.0, but my problem is that my certificate shows as self-signed. I installed the SSL certificate including the chained certificate as per
http://www.digicert.com/ssl-certificate-installation-nginx.htm
However, even trying the configuration on NGinx SSL certificate authentication signed by intermediate CA (chain) it does not work.
If I input my website on http://sslcheck.globalsign.com/en_US it shows as it's a self-signed certificate.
Below is my virtual host configuration regarding SSL:
server {
listen 80;
listen 443 ssl;
server_name host02.website.com *.website.com;
root /spacedata/website.com;
index index.php index.html /;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security max-age=31536000;
ssl_certificate /etc/pki/tls/certs/bundle-alpha.crt;
ssl_certificate_key /etc/pki/tls/certs/private.key;
...
}
I confirm that I installed the right Cert and Private Keys.
Bear in mind that I run the AlphaSSL Wildcard certificate.
I suspect that I'm missing something in regards to the configuration as in my other hosting I installed the same .crt file and .key.
I had the same issue before, had todo with the order of the certs that reside inside your ssl_certificate file.
You need to include all intermediate CA certs in this file, and have them in the right order.
All I had to do was reverse the order of the certs within that file, and my problem was solved.
Your server cert should be on top, then simply go down the CA chain.
PS. My config looks like:
listen 443 default ssl;
ssl_certificate /etc/nginx/ssl/server_plus.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;