Collection on all things HTTPS. Includes settings for TLS on nginx.

README.md

Collection on all things HTTPS. Includes settings for TLS on nginx.

---

My current settings for TLS on nginx/1.10.3 on Ubuntu Server 16.04 LTS

See https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-debian-ubuntu-packages on how to install the lastest version of nginx.

Most settings are sourced from https://bettercrypto.org/static/applied-crypto-hardening.pdf#subsection.2.1.3, https://danpalmer.me/blog/ssl-labs-grade-a, https://gist.github.com/plentz/6737338 and https://scotthelme.co.uk/

Background

I'm a newbie to large scale webhosting, but really interested in it. This is my take on a nginx config to deploy on my servers.

So if you find a way to do something better: Please leave a comment! Thanks!

Tests

• https://www.ssllabs.com/ssltest/
  • https://dev.ssllabs.com/ssltest/
• https://www.htbridge.com/ssl/
• https://tools.keycdn.com/http2-test
• http://www.whatsmyip.org/http-compression-test/
• https://observatory.mozilla.org/
• https://tools.pingdom.com/
• https://tools.geekflare.com/
  • https://tools.geekflare.com/web-tools
  • https://tools.geekflare.com/web-tools/x-frame-options-test
  • https://tools.geekflare.com/web-tools/hsts-header-test
• https://github.com/s-rah/onionscan/blob/master/doc/what-is-scanned-for.md
• https://securityheaders.io/
• https://hstspreload.org/
• https://report-uri.io/
• https://testssl.sh/ / https://github.com/drwetter/testssl.sh
• https://internet.nl/
• https://www.hardenize.com/
• https://tlsinspector.com/
• https://developers.google.com/web/updates/2015/12/security-panel

Additional Links

• https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
• https://wiki.mozilla.org/Security/Server_Side_TLS
• https://movingtohttps.com/
• https://www.aptive.co.uk/blog/tls-ssl-security-testing/
• https://mozilla.github.io/server-side-tls/ssl-config-generator/
• https://media.ccc.de/v/eh16-62-zeitgemasse_webserver-konfiguration_--_ein_serviervorschlag
• https://hstspreload.org/
• https://weakdh.org/sysadmin.html
• h5bp/server-configs-nginx#72
• https://scotthelme.co.uk/hardening-your-http-response-headers/
• https://geekflare.com/nginx-webserver-security-hardening-guide/
• https://www.keycdn.com/blog/x-frame-options/
• https://geekflare.com/add-x-frame-options-nginx/
• https://www.upguard.com/articles/10-tips-for-securing-your-nginx-deployment
• https://geekflare.com/http-header-implementation/
• https://www.keycdn.com/blog/http-security-headers/
• http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
• http://en.wikipedia.org/wiki/Clickjacking
• https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
• https://www.owasp.org/index.php/List_of_useful_HTTP_headers
• https://forum.joomla.org/viewtopic.php?t=845318#p3313092
• https://www.digicert.com/ssl-certificate-installation-nginx.htm
• https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-16-04
• https://stackoverflow.com/questions/17413526/nginx-missing-sites-available-directory
• https://serverfault.com/questions/775298/debian-jessie-nginx-with-openssl-1-0-2-to-use-alpn-rather-than-npn
• https://www.cyberciti.biz/faq/linux-unix-nginx-access-control-howto/
• https://www.sslshopper.com/ssl-converter.html
• https://www.nginx.com/blog/nginx-ssl/
• http://www.westphahl.net/blog/2012/01/03/setting-up-https-with-nginx-and-startssl/
• https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/
• https://easyengine.io/tutorials/nginx/enable-gzip/
• https://askubuntu.com/questions/553937/what-is-the-difference-between-the-core-full-extras-and-light-packages-for-ngi
• https://certbot.eff.org/#ubuntuxenial-nginx Always use "letsencrypt certonly" to avoid the automatic installation messing up your config.
• https://jefferytay.wordpress.com/2010/12/09/converting-a-pfx-file-to-pem-and-key-via-openssl/
• https://security.stackexchange.com/questions/79519/ssl-tls-how-to-fix-chain-issues-contains-anchor
• https://ssl.comodo.com/support/creating-a-pem-file.php / https://support.comodo.com/index.php?/Knowledgebase/List/Index/71
• https://superuser.com/questions/644343/how-do-you-fix-an-incomplete-ssl-chain
• https://certificatechain.io/
• https://community.qualys.com/docs/DOC-1931
• https://community.qualys.com/thread/11685
• https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
• https://gist.github.com/konklone/6532544
• https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
• https://scotthelme.co.uk/setting-up-hsts-in-nginx/
• https://scotthelme.co.uk/hsts-preloading/
• https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/http-strict-transport-security-hsts-max-age-value-too-low/
• https://https.cio.gov/hsts/
• https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
• https://open.blogs.nytimes.com/2014/11/13/embracing-https/
• https://bits.blogs.nytimes.com/2015/10/14/encryption-is-more-important-and-easier-than-ever/
• https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https
• http://www.niemanlab.org/2015/07/s-is-for-secure-why-news-organizations-are-ditching-or-should-ditch-http-for-https/
• https://freedom.press/news/introducing-secure-news-automated-tool-tracking-adoption-https-encryption-across-news-websites/
• https://securethe.news/
• https://twitter.com/tlsallthethings
• https://www.eff.org/encrypt-the-web-report
• http://maulwuff.de/research/ssl-debugging.html
• https://www.maxcdn.com/blog/ssl-performance-myth/
• https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
• https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
• https://www.techandme.se/set-up-nginx-reverse-proxy/
• https://nginx.org/en/docs/http/server_names.html
• https://www.troyhunt.com/understanding-http-strict-transport/
• https://gist.github.com/StefanWallin/5690c76aee1f783c3d57
• https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates
• https://www.digicert.com/ssl-certificate-installation-nginx.htm
• https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-reverse-proxy-for-apache
• https://https.cio.gov/
• https://scotthelme.co.uk/alexa-top-1-million-analysis-feb-2017/
• https://www.feistyduck.com/
• https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
• https://www.feistyduck.com/bulletproof-tls-newsletter/
• https://www.hardenize.com/
• https://badssl.com/
• https://www.feistyduck.com/ssl-tls-and-pki-history/
• https://mitmproxy.org/
• https://media.ccc.de/v/33c3-8348-deploying_tls_1_3_the_great_the_good_and_the_bad
• https://noncombatant.org/2017/02/15/decoding-chromes-https-ux/
• https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
• https://timtaubert.de/blog/2017/02/the-future-of-session-resumption/
• https://scotthelme.co.uk/ocsp-must-staple/
• https://jve.linuxwall.info/ressources/taf/HTTPSBsidesTampa17/#/
• https://jhalderm.com/pub/papers/interception-ndss17.pdf
• https://blog.appcanary.com/2017/http-security-headers.html
• https://blogs.akamai.com/2017/01/tls-13-ftw.html
• https://f5.com/labs/articles/threat-intelligence/ssl-tls/the-2016-tls-telemetry-report-24674
• https://www.eff.org/deeplinks/2016/12/what-happened-crypto-2016
• https://www.feistyduck.com/bulletproof-tls-newsletter/issue_23_2016_the_year_https_became_dominant.html
• https://blog.pki.dfn.de/2015/03/mehr-privacy-fuer-den-nutzer-ocsp-stapling/ (german, see the next link for english)
• https://www.maxcdn.com/one/visual-glossary/ocsp-stapling/ (english)
• https://www.keycdn.com/support/ocsp-stapling/
• https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
• https://www.digicert.com/ssl-support/nginx-enable-ocsp-stapling-on-server.htm
• https://scotthelme.co.uk/content-security-policy-an-introduction/
• https://content-security-policy.com/
• https://scotthelme.co.uk/a-new-security-header-referrer-policy/
• https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf
  • https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL.pdf
  • https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf#page=119
  • https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
• https://letsencrypt.org/stats/
• https://www.httpvshttps.com/
• https://www.keycdn.com/blog/http2-statistics/
• https://zakird.com/papers/https_interception.pdf
• https://www.us-cert.gov/ncas/alerts/TA17-075A
• https://ssllabs.com/ssltest/clients.html
• https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/
• https://observer.com/2017/03/redtube-https-security-xvideos-thumbzilla/
• https://www.cloudflare.com/website-optimization/http2/what-is-http2/
• https://blog.cloudflare.com/encryption-week/
• https://blog.cloudflare.com/introducing-tls-1-3/
• https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
• https://blog.cloudflare.com/introducing-0-rtt/
• https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05066.html
• https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
• https://community.letsencrypt.org/t/is-it-possible/15132
• https://blog.qualys.com/ssllabs/2013/08/07/defending-against-the-breach-attack
• http://breachattack.com/
• https://jlospinoso.github.io/node/javascript/security/cryptography/privacy/2017/02/20/snuckme-cert-query.html
• It's an ad and they say SSL, but it explains stuff well: https://vimeo.com/135666049
• https://permission.site/
• https://www.golem.de/news/tls-1-3-die-zukunft-der-netzverschluesselung-1612-124724.html (german)
• http://mailman.nginx.org/pipermail/nginx-announce/2017/000195.html
• https://www.golem.de/news/webserver-nginx-1-13-erscheint-mit-tls-1-3-support-1704-127503.html (german)
• https://wiki.openssl.org/index.php/Compilation_and_Installation
• https://istlsfastyet.com/
• https://tlswg.github.io/
• https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters
• https://www.youtube.com/watch?v=dCvB-mhkT0w ECC
• https://www.youtube.com/watch?v=YEBfamv-_do DH
• https://www.youtube.com/watch?v=wXB-V_Keiu8 RSA
• https://www.nginx.com/resources/wiki/start/topics/examples/reverseproxycachingexample/
• https://www.nginx.com/blog/nginx-caching-guide/
• https://www.nginx.com/resources/admin-guide/content-caching/
• https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching
• https://tweaked.io/guide/nginx-proxying/
• mozilla/server-side-tls#135
• https://productforums.google.com/forum/#!topic/chrome/UBp_FtxonXU
• https://www.bjornjohansen.no/optimizing-https-nginx
• http://blog.commando.io/the-perfect-nginx-ssl-configuration/
• https://leandromoreira.com.br/2015/10/12/how-to-optimize-nginx-configuration-for-http2-tls-ssl/
• https://www.cyberciti.biz/faq/linux-unix-bsd-nginx-413-request-entity-too-large/
• https://drownattack.com/
• https://www.google.com/transparencyreport/https/
• https://motherboard.vice.com/en_us/topic/encrypt-all-the-things
• https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
• https://www.heise.de/security/meldung/TLS-1-3-doch-noch-nicht-jetzt-3780077.html (german on the delay of TLS 1.3)
• https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2013/BSI_veroeffentlicht_Mindeststandard_fuer_verschluesselte_Internetverbindungen_08102013.html (german federal guideline on the deprecation of SSL & TLS 1.0 / 1.1)
• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_BSI_TLS_1_2_Version_1_0.pdf?__blob=publicationFile (german federal guideline on the deprecation of SSL & TLS 1.0 / 1.1)
• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf?__blob=publicationFile (german federal guideline on the deprecation of SSL & TLS 1.0 / 1.1)
• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Migrationsleitfaden_Mindeststandard_BSI_TLS_1_2_Version_1_2.pdf?__blob=publicationFile&v=4 (german federal guideline on the deprecation of SSL & TLS 1.0 / 1.1)
• https://www.fastly.com/blog/phase-two-our-tls-10-and-11-deprecation-plan
• https://www.youtube.com/watch?v=WH5q8dNmAp8
• https://mitm.watch/
• On TLS certs being capped at two years
  • https://www.globalsign.com/en/blog/ssl-certificate-validity-capped-at-maximum-two-years/
  • https://www.entrustdatacard.com/blog/2017/march/maximum-certificate-lifetime-drops-to-825-days-in-2018
• https://0.me.uk/ev-phishing/
• https://stripe.ian.sh/
• https://security.stackexchange.com/questions/177182/is-there-a-list-of-old-browsers-that-only-support-tls-1-0/177323#177323
• https://crt.sh
• https://www.ct-observatory.org
• https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
• https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/
• https://arkadiyt.com/2018/02/04/quantifying-untrusted-symantec-certificates/
• https://sslmate.com/caa/
• https://www.eff.org/deeplinks/2017/12/tipping-scales-https
• https://csrhelp.peculiarventures.com/
• https://security.stackexchange.com/questions/50878/ecdsa-vs-ecdh-vs-ed25519-vs-curve25519
• openssl/openssl#309
• https://caddy.community/t/how-to-enable-ssl-session-resumption/1886
• https://gist.github.com/roycewilliams/1710ade469c05eb0b090d268470aa741
• https://sslmate.com/caa/
• https://blog.pki.dfn.de/2017/09/caa-rrs-reihenfolge-im-dns/

You should definitely subscribe to the "Bulletproof TLS Newsletter"!

Also have a look at the alternative webserver Caddy.

comodo.md

Fix for Comodo certificates

I use Let's Encrypt cert's for my private stuff, but at work we use a Comodo wildcard certificate. As there is a reseller in between us, we only got a .pfx-file. This can be converted into two files (cert & key).

However this still breaks the certificate-chain, as the intermediate certificate is missing. The SSL Test reduces your grade to B because of this.

To fix this you can use ssl_certificate_key /etc/tls-cert/example-com.key; with the key you got by converting your .pfx into two files.

Paste the second file (public key as .crt-file) into https://certificatechain.io/ to get a .crt-file containing the full chain (your cert, intermediate cert and root cert). Put this in your config using ssl_certificate /etc/tls-cert/example-com.crt;.

This should fix the chain and give you an A grade on SSL Labs' SSL Test.

This may also work for other vendors!

You may use Chrome for https://certificatechain.io/ as my Firefox didn't work there.

example-com.conf

## /etc/nginx/sites-enabled/example-com.conf

server {
        listen 443 http2;
        listen [::]:443 http2;
        
        server_name example.com; # Replace all "example.com" in this config with your domain name. You can also set "server_name _;" to accept every request to server.
        
        include /etc/nginx/tls.conf; # include your TLS-config
        
        ### Block for webhosting ###
        location / {
                root /var/www/example.com;
                index index.html index.htm; # add index.php and enable php below if you need php
                #autoindex on; # Turn this on to list directory contents like on apache
                autoindex_exact_size off; # Make autoindex fancy
       		autoindex_localtime on; # and even more fancy
        }
        
        ### Block for Reverse Proxy ###
        location / {
                proxy_pass http://172.16.0.5/;
                #proxy_set_header Host $host; # Tell the software running on the server behind the proxy on which DNS-Name it should listen. This isn't required, but sometimes it can fix missing js, css, images or broken links.
                #proxy_set_header X-Forwarded-Proto https; # Tell an apache2 server behind the proxy that the proxy is https. This isn't required, but sometimes it can fix missing js, css, images or broken links. You need to put "SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on" in apache2.conf on the apache-server behind the proxy. See https://forum.joomla.org/viewtopic.php?t=845318#p3313092
        }
        
        ### Block for internal hosting ###
        location / {
                root /var/www/example.com;
                index index.html index.htm;
                allow 5.189.139.136; # Put your company IP here to just allow this from your offices
                deny all; # Deny everything else
        }
        
        ### Block for redirect ###
        location / {
                return 301 https://example.org;
        }
        
        ### Block for "Access denied" message ###
        location / {
                return 403;
        }
        
### DEFAULT STUFF FROM HERE ###

        #charset koi8-r; # modify and enable if you need
        
        #access_log   /var/log/nginx/access.log  main; # Modify if you want, also avalible in /etc/nginx/nginx.conf
        
        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
                root   /usr/share/nginx/html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html; # just don't
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
        
### DEFAULT STUFF TILL HERE ###

}

nginx.conf

## /etc/nginx/nginx.conf

user  nginx;
worker_processes  1; # use your number of cores

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024; # connection limit
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main; # Comment this out to disable access-logs. Also check out the tool "goaccess"

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on; # Turn this off/comment it out and see https://github.com/h5bp/server-configs-nginx/issues/72 on why

    server_tokens off; # don't send the nginx version number in error pages and Server header
     
    # redir every http-request to https
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri; # "Please be sure to not use the $host variable here because it contains data controlled by the user." - bettercrypto.org
    }
    
    include /etc/nginx/sites-enabled/*.conf;
    
}

tls.conf

# /etc/nginx/tls.conf

ssl on;
        
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # 4096 Bit cert form letsencypt
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_stapling on; # Enable OCSP stapling
ssl_stapling_verify on;
        
ssl_session_cache shared:SSL:50m; # enable session resumption to improve https performance http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_timeout 5m;
ssl_session_tickets off; # https://github.com/mozilla/server-side-tls/issues/135
        
ssl_prefer_server_ciphers on;
        
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # You can remove TLSv1 but at cost of Android <4.4, the Baidu crawler, IE <11, OpenSSL <1.0 and Safari <7
        
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'; # allows most current browsers, most notable exceptions are IE on Windows XP and Java. You could also use Dan Palmer's 100% cipher strength recommendation, but at cost of most notably Android pre-4.4, Internet Explorer before version 11, and anything before Windows 7.
        
ssl_dhparam /etc/nginx/dhparams/dhparams.pem; # generated using "openssl dhparam -out /etc/nginx/dhparams/dhparams.pem 4096" however not sure if thats a good thing https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups
        
ssl_ecdh_curve secp384r1; # from NIST’s ECC curve recommendation
        
add_header Strict-Transport-Security max-age=15768000; # six months
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; # use this only if all subdomains support HTTPS!
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # One year with HSTS preload. See https://hstspreload.org/

add_header X-Frame-Options SAMEORIGIN; # or "add_header X-Frame-Options DENY;" allow iframes only frome same origin or deny it completely to avoid clickjacking
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; # not the best way to do it
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin"; # Chrome doesn't like this yet https://productforums.google.com/forum/#!topic/chrome/UBp_FtxonXU

add_header X-Emoji "<U+1F47D>"; # Why does this exist?!