Security and Crypto

encrypt_with_aes.sh

#!/bin/bash
# Encrypts input data using AES-CBC-128 without salt
# Key and IV passed as text parameters and converted to OpenSSL Hex formatted inputs.
# Outputs encrypted data as Base64 encoded text.

if [ "$1NULL" = "NULL" ]; then
        echo "Usage - $0 [key] [iv] [data]"
        exit 1
fi

KEY1=$(xxd -pu -c10000 <<< "$1")
IV1=$(xxd -pu -c10000 <<< "$2")

KEY=${KEY1:0:${#KEY1}-2}
IV=${IV1:0:${#IV1}-2}

echo "INPUT='$3'"
echo "Key='$KEY'"
echo "IV='$IV'"
echo

if [ -e "$3" ]; then
        openssl enc -nosalt -p -a -aes-128-cbc -in $3 -K $KEY -iv $IV
else
        echo -n $3 | openssl enc -p -nosalt -a -aes-128-cbc -K $KEY -iv $IV
fi

nginx_ssl.conf.md

Nginx SSL optimizations

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
 
        ssl_certificate /etc/nginx/cert/bjornjohansen.no.certchain.crt;
        ssl_certificate_key /etc/nginx/cert/bjornjohansen.no.key;
 
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 60m;
 
        ssl_prefer_server_ciphers on;
 
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
 
        ssl_dhparam /etc/nginx/cert/dhparam.pem;
 
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;
        resolver 8.8.8.8 8.8.4.4;
 
        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Strict-Transport-Security "max-age=31536000" always;
 
        # Rest of your regular config goes here:
        # […]
}

• Reference - bjornjohansen.no/optimizing-https-nginx