SSLlabs still show the following message even after i added the ssl_session_cache
Session resumption (caching) No (IDs assigned but not accepted)
Here is my full configuration
server {
listen 443 spdy; #Change to 443 when SSL is on
ssl on;
ssl_certificate /etc/ssl/domain.com_bundle.crt;
ssl_certificate_key /etc/ssl/domain.com.key.nopass;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/trustchain.crt;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#rest config goes here
}
SSL Labs doesn't assume that SNI is available to the client, so it only tests the default virtual server.
The problem could be that you don't have SSL session caching enabled on the default server. To enable it, you just need to add that ssl_session_cache line to your default_server. Alternatively, if you'd like that configuration the work across all of your nginx virtual servers (which I would recommend), you could move the ssl_session_cache line outside of the server declaration, so it applies to all of them.
Here's the configuration I use:
# All your server-wide SSL configuration
# Enable SSL session caching for improved performance
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
ssl_session_cache shared:ssl_session_cache:10m;
server {
# All your normal virtual server configuration
}
Sources:
I tested both options on my own server and SSL Labs loves it!
This thread on the Nginx mailing list
when you use one server, it be correct. If you have load balance before servers, it may be like this. Because of request can not transmit to same server before. I suggest ssl_session_tickets.
Related
I have a video portal system that plays live streams. The issue is that the live streams are created on the fly via docker, so I can't secure them easily (HTTPS). I need a way to tell NGINX not to secure (HTTP) a single page at {my_domain}/portal/{url_variable} but make sure the rest of the site will be HTTPS. Here is my current config:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/app.domain.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name app.domain.com;
root /home/forge/app.domain.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/app.domain.com/111111/server.crt;
ssl_certificate_key /etc/nginx/ssl/app.domain.com/111111/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'stuff';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
I have attempted to add another server that listens to port 80 and use location for only for the portal URL, but the entire site then does not render.
My client bought a PositiveSSL Certificate, and he gave me 2 files, crt and ca-bundle.
How can I install these files to the ubuntu server and make the https protocol work?
FYI, I'm using nginx.
Any clue?
key file
First off: you need the secret key as well, from the extensions on the filenames you are missing that file.
ngnix
nginx expects a chained certificate, but that's easy enough to create:
$ cd /path/to
$ cat www.example.com.crt ca-bundle.crt > example.bundle.crt
While at it create the Diffie–Hellman parameters:
$ openssl dhparam -out dh4096.pem 4096
You need to add a few statements to the appropriate place in your configuration file(s).
It's the server block that needs something like this:
server {
listen 443 ssl http2;
server_name www.example.com ;
ssl on;
ssl_certificate /path/to/example.bundle.crt;
ssl_certificate_key /path/to/example.key;
# take care: a single add_header *will* wipe all the inherited ones!
# HSTS (be careful, this is irreversible!)
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
Something like this can be added to the http block:
http {
#ssl parameters (certificates in the virtual servers)
ssl_dhparam /path/to/dh4096.pem;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS:!DES";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
}
[that way you only need to maintain that stuff once for all virtual servers, is also ok to add it in the server blocks that use ssl]
More info:
http://nginx.org/en/docs/http/configuring_https_servers.html
Test it
Free tests are available, e.g. this one: https://www.ssllabs.com/ssltest/
Fix it to make sure you're set at a high enough rating.
This was working prior to nginx/1.11.4 and update to Ubuntu 16.04 (and it was on 1.11.x before). There are two sites configured to use SSL on a virtual IP (libvirt). When that didn't work (somehow it always landed on the first config alphabetically with SSL), I changed it to use two different virtual IPs and changed libvirt routing two real IPs to 192.168.122.10 and the other to 192.168.122.11, respectively. Now it's simply giving a handshake failure.
server {
listen 192.168.122.11:443 ssl http2;
server_name www.domain2.org domain2.org;
access_log /var/log/nginx/domains/domain2.org.log;
error_log /var/log/nginx/domains/domain2.org.err;
root /app/domain2.org/html;
ssl on;
ssl_certificate /etc/nginx/ssl/domain2.org.crt;
ssl_certificate_key /etc/nginx/ssl/domain2.org.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
include /etc/nginx/include/php.conf;
include /etc/nginx/include/restrictions.conf;
}
server {
listen 192.168.122.10:443 ssl http2;
server_name domain1.com www.domain1.com *.domain1.com;
access_log /var/log/nginx/domains/domain1.com.log;
error_log /var/log/nginx/domains/domain1.com.err;
root /app/domain1.com/html;
ssl_certificate /etc/nginx/ssl/domain1.cert;
ssl_certificate_key /etc/nginx/ssl/domain1.pkey;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
include /etc/nginx/include/restrictions.conf;
include /etc/nginx/include/php.conf;
}
This is just the standard nginx from nginx.org packaging, and yes it has SNI. I have no idea why this would suddenly stop working.
root#production:/etc/nginx/conf.d# nginx -V
nginx version: nginx/1.11.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2g-fips 1 Mar 2016 (running with OpenSSL 1.0.2g 1 Mar 2016)
TLS SNI support enabled
After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com
I have a definition in Nginx where by different ports, I need different SSL client verify options.
When I connect to :443/location1, Nginx will request a client cert, but will fail with "HTTP 400, Bad Request, Require Client Cert". It seems as if NGinx uses the server rule for port 444 which has a "ssl_verify_client off" on connect, but on the route, NGinx checks to see if a client cert was given since it's rule for port 443, says client verify is required and then fails in the actual HTTP request.
I dug around and can't seem to find any docs around this. Clearly same IP:PORT is an issue, but everything thus far indicates by PORT I can change the config but that doesn't seem to be the case.
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl-certs/a.cert;
ssl_certificate_key /etc/nginx/ssl-certs/a.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_client_certificate /etc/nginx/ssl-certs/ca.pem;
ssl_verify_client on;
location /location1 {
[..]
}
}
server {
listen 444;
ssl on;
ssl_certificate /etc/nginx/ssl-certs/a.cert;
ssl_certificate_key /etc/nginx/ssl-certs/a.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_verify_client off;
location /location2 {
[..]
}
}
I eventually figured it out.
Client rejection is mandatory, but can happen either after the connection has been made or during the handshake.
NGINX will allow the handshake to complete, then enforce if the
client was verified.
APACHE (at least the last version I used) fails
the handshake.