I am trying find if there is any module or way to get metrics from NGINX and especially about SSL connection (Negotiation time etc.)
I ve searched also in access log but with no luck.
I ve also search to do that using somehow tcpdump to packet analysis
Is there anyway to do that from serve side to take those metrics?
Not sure if this will answer your question but I hope that it can help...
Here are two web pages that I found that provide general information on Nginx metrics (including modules for metrics):
How to Monitor Nginx: The Essential Guide.
An In-Depth Guide to Nginx Metrics.
The first of these includes a section on "SSL Certificate expiration". But monitoring for SSL expiration dates and/or alerts for that seems limited in regards to the SSL connection metrics portion of your question.
On my searching for more SSL specific metric information for Nginx, I came across Module ngx_http_status_module. In the "SSL" subsection of the "Data" section of the page, I found mention of the following SSL statistics:
handshakes
The total number of successful SSL handshakes.
handshakes_failed
The total number of failed SSL handshakes.
session_reuses
The total number of session reuses during SSL handshake.
I also found a paper Nginx SSL Performance that looked interesting to me in regards to Nginx SSL metrics albeit more from the perspective of a basis for what kinds of performance one can expect. It does however point out using openssl speed to gather metrics. Of course this presumes that Nginx was built with OpenSSL as the SSL library.
That leads me to the SSL library that your Nginx is built with. Whether it's OpenSSL or something else, it should have support for logging details. Here's a StackOverflow Q & A that's related to logging SSL details: nginx - log SSL handshake failures. While it doesn't sound like logs were the way you primarily wanted to get metrics from, it does seem like another resource even if you have to write some code to analyze them more conveniently.
Along the lines of analysis, I found the web page Debugging SSL Problems. While it's written with Apache's web server in mind, it does look like it would have helpful suggestions for analyzing and debugging Nginx SSL operations too.
As far as ways that perhaps you can get better answer(s), perhaps asking on the Server Fault Q & A site would help. You'll need to figure out how best to do that however as I recall seeing cross-posting being discouraged. Perhaps this Q & A can just be moved over to there since that seems like a more appropriate site for this. I don't know though.
Incidentally, I've written Nginx modules before and this question got more interesting to me as I dug into answering it.
Related
Friendly Disclaimer: I am new to working with Keycloak and IdP in general. So it's likely that I use incorrect terminology and/or am more confused than I think I am. Corrections are gratefully accepted.
My question is conceptual.
I have a TLS certificate that is terminated on my host machine by my host company. My reverse proxy (Traefik) is picking up that certificate.
Which of the following proxy modes should I use now to be able to deploy Keycloak to production: edge, reencrypt or passthrough? (see here for relevant documentation)
I can pretty much rule out passthrough, because as I wrote, the TLS certificate is terminated on the server. But I am unsure if I have to bring my own certificate and reencrypt or if it is considered safe to go along with edge?
I have done my best to keep this question short and general. However, I am happy to share configurations or further details if needed.
As far as I know, most organizations consider a request to be safe when the proxy validated and terminated the TLS. It also removes the performance overhead (depends on your load). Unless your organization is going for Zero Trust for its internal network, using the edge should be totally acceptable.
I would like to set some SSL certificates for one app I have on heroku (a simple application based on nodeJS + Vue).
I know if I upgrade to the Hobby Plan (7$ for month) I can have it automatically.
But for now it would too much money for a test application, so I am wondering if I can achieve some similar goal also with a Free Plan.
so:
Is it possible to set SSL certificate for an app on Heroku JUST with the Free Plan?
Maybe in a complicated/tricky way via CLI?
From the Heroku pages and documentation it looks not possible.
But I have to ask :)
Here I have a better approach to deal with this. As Heroku Doesn't provide SSL for Free Plan.
But You can use Cloudflare which gives free SSL.
You can Use Cloudflare As Bridge For SSL.
Requirement:
Cloudflare Account
Your Application should not have inbuild SSL redirection (like redirect-ssl)
Otherwise, This will result in Too Many Redirect Error
Step 1: Point Your domain to CloudFlare. You basically open an account an enter your domain when prompted. You may be given instructions to change your domain name servers.
Step 2: Add Cname Record of Heroku Server in DNS of Cloudflare. Instructions are here
Here You will get Some SSL Security Issue.
Step 3: Now Change Your SSL/TLS encryption mode to Flexible (Not Full). *Important
Now Understand the Working:-
Client(Browser) Make Request to https://example.com
First, the request reaches the Cloudflare with SSL. (User see encrypted connection to the server.)
Then Cloudflare makes request to Heroku Server(Origin) with Non-SSL (Non-Https and Unencrypted).
Then Heroku Server (Origin) returns the Response with Non-SSL to Cloudflare.
At the end Cloudflare forward the request to Client (Browser.)
You might think, What is the benefit of just encrypting half system.
but "Something is better then nothing".
You are here because you don't want to spent money on heroku paid dynos.
This method is better for those who is using http. Atleast it protects the most vulnerable side (client side). Where most of the attack happen. There is very less chances of attack between cloudflare and your server. Because of network reach.
Having less vulnerable probability is better then 100% vulnerable system
I have tested this method and working on https://www.auedbaki.com
Late response but I'm adding here I just spent an hour trying to setup SSL with Heroku - resulting in a dead end.
The bottom line is that Heroku mentions they offer free SSL certificates but that's really not the case unless you have a Hobby ($7/mo) or Pro plan.
This link has more details and feedback from other users facing the same issue.
The answer above about LetsEncrypt is incorrect. Although you can get a free certificate, it cannot be included in a free Heroku app.
Other users have pointed to this article with a step-by-step guide but the guide is outdated and the 'Labs' option mentioned does not work with Heroku anymore.
see comments below for some alternative suggestions
In my specific case, I was able to get a free SSL on zeit.
Here's how you get FULL SSL using Cloudflare for FREE.
Step 1: Point Your domain to CloudFlare. You basically open an account an enter your domain when prompted. You may be given instructions to change your domain name servers.
Step 2: Add Cname Record of Heroku Server in DNS of Cloudflare. Instructions are here. Here You will get Some SSL Security Issue.
Step 3: Now Change Your SSL/TLS encryption mode to Full
Step 4: In your DNS settings, you’ll want to create a CNAME: yourdomain.com -> yourapp.herokuapp.com.
(I learned about the general approach here https://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/ Although it's old, it still works.
I had this issue also. I wanted to set up a custom domain for my free account on Heroku for my React App. I searched so much info on the web and read loads of documents from Heroku support.
The conclusion is that on the Heroku free account, a custom domain name with SSL certificate cannot be setup. If you need SSL with your custom domain name, you need to upgrade to any of their paid hosting accounts.
Heroku does provide SSL certificate for their free account as long as it is not using a custom domain name. So the standard free account URL will be something like this "https://your-app-name.herokuapp.com"
NB. Google Firebase allows free hosting and Custom Domain name with SSL, for up to a certain amount of traffic before charging. For testing an app, this will be a perfect alternative. I am using it. And it was easy to set up my custom domain.
I hope this saves you hours of searching.
Since you don't make explicit if you need to apply the SSL certificate to a custom domain, I think it's necessary to say that according to the Heroku documentation:
Apps using free dynos can use the *.herokuapp.com certificate if they
need SSL.
https://devcenter.heroku.com/articles/ssl
Maybe future readers could find this answer helpful...
If you are using
1]free heroku,
You can't use 1)free ssl or 2)paid ssl
2]paid heroku
1)you get free ssl 2)you can use paid ssl also
Solution
1]get paid heroku
2]move to netlify or other alternatives
Free SSL in Heroku doesn't exist, or let me just say that it's impossible to achieve it on a free plan.
For you to be able to include any form of third party SSL in Heroku, be it paid SSL or Free Third Party SSL, you have to change to Hobby or Professional dynos for the SSL to work.
An easier option, if you're using Heroku, there's no need to buy a third party SSL. Just change to Hobby or Professional dynos.
For you to be able to change the dyno type, select your app, go to sources section on the upper part, just bellow it, click on the Change Dyno Type button.
Hobby Dyno will cost you $7 a month while Professional Dyno will cost you $25 - $500 a month.
After all that, remember to go to your Rails App:
Go to; .../config/environments/production.rb
--> Uncomment the following line:
# config.force_ssl = true
---> To:
config.force_ssl = true
After that, you'll be able to achieve your SSL but not FREE.
If you don't mind hosting your frontend on another service you can host it in Vercel, with free SSL, while you keep your backend at Heroku. Quite straightforward!
https://vercel.com/
One way around this could be setting up a proxy server on a host you can set SSL certificates on and then simply forward requests to the free herokudns domain using encryption as well.
You'd have to have a separate server with something like nginx or httpd running.. I am not sure of a free service to host the proxy, but usually when you sign up for a domain you may get a hosting addon with it, or perhaps people already have acess to an encrypted host and just want to also use Heroku for their node applications.
Setting up a httpd proxy would look somewhat like this (from https://serverfault.com/questions/84821/apache-proxypass-with-ssl):
<VirtualHost 1.2.3.4:80>
ServerName customdomain.com
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
ProxyPass / https://heroku-app-name.herokuapp.com
ProxyPassReverse / https://heroku-app-name.herokuapp.com
</VirtualHost>
This way you have full encryption all the way :)
This is a question rather than an answer, actually. Has anyone tried ZeroSSL? It offers free SSL, and here is an installation guide for Heroku. However, SSL Endpoint is apparently deprecated and not recommended by Heroku, and it appears to be paid addon of Heroku.
$ cat example.crt ca_bundle.crt certificate.crt
I could not make sense of this line in the help. Perhaps, > is missing? Where does example.crt come from, when I only have the following files?
certificate.crt
ca_bundle.crt
private.key
Or can Heroku SSL accept SSL certificates issued from ZeroSSL?
I got a little site build with harpjs and host on surge.sh. They provide free basic ssl for their exemple.surge.sh domain but it cost 13$/month to be able to add ssl to custom domain.. I was wondering if anyone have a free solution for me. I've tried certbot, but nothing concluent.. Dunno what's wrong. (error)
An unexpected error occurred:
DialogError
Please see the logfiles in /var/log/letsencrypt for more details.
Let me clear many things about SSL.
First, now are called TLS. SSL is deprecated.
Second, yes you can get free TLS. You can even generate your own TLS, however it's not the best path.
Letsencypt is a TLS as a service, free of charge.
Third, AWS offers free TLS, just get an ELB or a Cloudfront.
Here are some options:
I think this hosting service you use is very expensive. You can host a static or dynamic site on AWS (using S3+CF or EC2+CF, respectively), with free TLS, free of charge for the first 12 months (free tier). After free tier period, the price is per usage. On AWS, setting up a TLS is very easy, easier than letsencrypt, and easier and cheaper than you emitting yor own TLS.
Another option, keep your current host but put a CDN in front of it, AWS offers Cloudfront with frre TLS at reasonable cost (for CF service). Also Cloudflare offers a very good CDN with TLS capabilities, IPv6 and a free plan.
If you go for Let´s Encrypt, be sure your hosting service allows you to upload the certificates.
TL;DR
I want to set up a local HTTPS proxy that can (LOCALLY) modify the content of HTML pages on my machine. Is this possible?
Motivation
I have used an HTTP Proxy called GlimmerBlocker for years. It started in 2008 as a proxy-based approach to blocking ads (as opposed to browser extensions or other OS X-specific hacks like InputManagers). But besides blocking ads, it also allows the user to inject their own CSS or JavaScript into the page. Development has seriously slowed, but it remains incredibly useful.
The only problem is that it doesn’t do HTTPS (from its FAQ):
Ads on https pages are not blocked
When Safari fetches an https page using a proxy, it doesn't really use the http protocol, but makes a tunneled tcp connection so Safari receives the encrypted bytes. The advantage is that any intermediate proxies can't modify or read the contents of the page, nor the URL. The disadvantage is, that GlimmerBlocker can't modify the content. Even if GlimmerBlocker tried to work as a middleman and decoded/encoded the content, it would have no means of telling Safari to trust it, nor to tell Safari if the websites certificate is valid, so Safari would think you have visited a dubious website.
Fortunately, most ad-providers are not going to switch to https as serving pages using https are much slower and would have a huge processing overhead on the ad-providers servers.
Back in 2008, maybe that last part was true…but not any more.
To be clear, I think the increasing use of SSL is a good thing. I just want to get back the control I had over the content after it arrives on my end.
Points of Confusion
While searching for a solution, I’ve become confused by some apparently contradictory points.
(Also, although I’m quite experienced with the languages of web pages, I’ve always had a difficult time grokking networks and protocols. On that note, sorry if I’m missing something that is way obvious!)
I found this StackOverflow question asking whether HTTPS proxies were possible. The best answer says that “TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies.” (The same answer then described a hack to pull it off, but I don’t understand the instructions. It was very theoretical, anyway.)
In OS X under Network Preferences ▶︎ Advanced… ▶︎ Proxies, there is clearly a setting for an HTTPS proxy. This seems to contradict the previous statement that TLS/SSL’s guarantee against eavesdropping implies the impossibility of proxies.
Other things of note
I can’t remember where, but I read that it is possible to set up an HTTPS proxy, but that it makes HTTPS pointless (by breaking the secure communication in the process). I don’t want this! Encryption is good. I don’t want to filter anyone else’s traffic; I just want something to customize the content after I’ve already received it.
GlimmerBlocker has a nice GUI interface, but I’m fine with non-GUI solutions, too. I may have a poor understanding of networking and protocols, but I’m perfectly comfortable on the command line, tweaking settings in text editors, and so on.
Is what I’m asking possible? Or is my question a case of “either you get security, or you can break it with hacks and get to customize your content—but not both”?
The common idea of a HTTP proxy is a server which accepts a CONNECT request which includes the target hostname and port and then just builds a tunnel to the target server. All the https is done inside the tunnel, so there is no way for the proxy to modify it (end-to-end security from browser to web server).
To modify the data you need to have a proxy which plays man-in-the-middle. In this case you have a https connection between the proxy and the web server and another https connection between the browser and the proxy. Between proxy and web server the original server certificate is used, while between browser and proxy a newly created certificate is used, which is signed by a CA specific to the proxy. Of course this CA must be imported as trusted into he browser, otherwise it would complain all the time about possible attacks.
Of course - all the verification of the original server certificate has to be done in the proxy now, and not all solutions do this the correct way. See also http://www.secureworks.com/cyber-threat-intelligence/threats/transitive-trust/
There are several proxy solution which might do this SSL interception, like squid, mitmproxy (python) or App::HTTP_Proxy_IMP (perl). The last two are specifically designed to let you modify the content with your own code, so these might be good places to start.
Following on from the best answer here:
How much overhead does SSL impose?
Is there a way to optimise SSL beyond a simple apache SSL install?
From the best answer given on that page I infer that there is some way to set-up persistent SSL sessions over multiple calls (where there is less handshake overhead). Is that correct?
If so, what's the best resource to learn about configuring the server to work that way?
SSL session caching is one optimization, which you can configure for Apache by looking at the discussion here. Look at the SSLSessionCache directive and related.
This will boost your performance for usage patterns that have the same client hitting the server multiple times within the session timeout period. However, when the pattern tends more toward one server hit per client for numerous clients, you won't see any speedups.