Going SSL, Perfect Forward Secrecy, HSTS, HPKP

by | May 21, 2015 | Linux | 0 comments

I’m going all in – SSL. Here is what I used to set it up:

Install OpenVPN easy-rsa Version 3 (Find it on github). Moving the easryrsa3 folder to your desired location and edit the vars file to use SHA256 and 4096 key length. I also entered some data for my CA and locations etc.
After this you need to initialize the setup and generate a Diffie-Hellmann Parameter, which takes some time for 4096.


./easyrsa init-pki
./easyrsa gen-dh
cp pki/dh.pem /etc/nginx/ssl/dh4096.pem
./easyrsa build-ca
./easyrsa build-server-full www.linuxpinguin.de nopass
cat pki/issued/www.linuxpinguin.de.crt pki/ca.crt >/etc/nginx/ssl/www.linuxpinguin.de-bundle.crt
cp pki/private/www.linuxpinguin.de.key /etc/nginx/ssl/

# Generate the SHA256 hashes of our crt and our ca crt
openssl x509 -in pki/issued/www.linuxpinguin.de.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
openssl x509 -in pki/ca.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64

 

Now I only have to build the right nginx config:

/etc/nginx/global/ssl.conf

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dh4096.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

/etc/nginx/sites-available/www.linuxpinguin.de-443

server {
listen [::]:443 ssl; # Default listen port
server_name www.linuxpinguin.de;
access_log /data/www/www.linuxpinguin.de/log/access.log main;
include global/ssl.conf;
include global/restrictions.conf;
ssl_certificate /etc/nginx/ssl/www.linuxpinguin.de-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/www.linuxpinguin.de.key;
add_header X-Pect "Spanish Inquisition, always";

# This adds Public Key Pinning (HPKP), with the SHA256 hashes generated before
add_header Public-Key-Pins 'pin-sha256="v0nazIxjAi5ukseXLbPhTHy15P721r1F4I0YF3JWZsc="; pin-sha256="71HiiLGNlbxfvlYYbzPf49qinpDcL2NEfQl+wN0MSLQ="; max-age=10; includeSubDomains';

# This adds Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";


location / {
proxy_redirect off; # Do not redirect this proxy - It needs to be pass-through
proxy_set_header Host $host;
proxy_read_timeout 120;
proxy_set_header X-Forwarded-Protocol https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Server-Address $server_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_pass_header Set-Cookie;
proxy_pass http://127.0.0.1:6081; # Pass all traffic through to Varnish
}
}

And that’s it.

Submit a Comment

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.

This site uses Akismet to reduce spam. Learn how your comment data is processed.