Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "WebServer SSL"

From Funtoo
Jump to navigation Jump to search
(Created page with "== Securing Nginx or Tengine with OpenSSL == === Getting Started === OK, you've got your SSL certificate and you have tengine or nginx setup, but you need it secure. After all...")
 
m (Added Category)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Category:HOWTO]]
== Securing Nginx or Tengine with OpenSSL ==
== Securing Nginx or Tengine with OpenSSL ==
=== Getting Started ===
=== Getting Started ===
OK, you've got your SSL certificate and you have tengine or nginx setup, but you need it secure. After all, you've heard of all the recent DH attacks, BEAST, CRIME, FREAK, Heartbleed and others, right? Is your system already secure? ''Test it!'' Check out [https://www.ssllabs.com/|The SSL Labs Test Site]. I'm getting an '''A+''' rating! The following assumes [[Package:Tengine]], but [[Package:Nginx]] is exactly the same, just s/tengine/nginx/g;
This guide assumes you already have your Webserver, [[Package:Tengine]] or [[Package:Nginx]] installed and serving pages on the standard HTTP port.  You should also have the [[Package:OpenSSL]] installed and an SSL certificate and key file (either self signed or provided by a commercial supplier).   If you need a certificate, you can get one free from [https://www.startssl.com|StartSSL]. These guys will step you through the process of getting the certificate by following the instructions on their site. Follow the installation instructions here.
 
If you don't know what [[Package:OpenSSL]] is, just click the link. Need a certificate? OK - I highly recommend [https://www.startssl.com|StartSSL]. It's '''FREE!''' These guys will step you through the process by following the instructions on their site. If you have problems, the tech support via email is instantaneous and incredibly professional. My cert was the free variety, but if I ever upgrade, I will go to them because the support (to a non-paying customer no less) was so good.


=== /etc/tengine/ssl.conf ===
=== /etc/tengine/ssl.conf ===
I recommend you put all your SSL configuration into a single file so that you can update it as security issues arise.  This way, if you have multiple sites, they can all include the same file and you don't need to try and maintain the information for each site separately.
Put all your SSL configuration into a single file so that you can update it as security issues arise.  This way, if you have multiple sites, they can all include the same file and you don't need to try and maintain the information for each site separately.
<pre>
<pre>
#- Not sure if both lines needed, but it works
#- Not sure if both lines needed, but it works
listen [::]:443 ssl;
listen                                 [::]:443 ssl;
listen 443 ssl;
listen                                 443 ssl;


#- Support current SSL standards and options only
#- Support current SSL standards and options only
Line 16: Line 15:
ssl_session_timeout 10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers   on;
ssl_prefer_server_ciphers               on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ciphers                             "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_tickets off;
ssl_session_tickets                     off;
ssl_stapling on;
ssl_stapling         on;
ssl_stapling_verify on;
ssl_stapling_verify on;


#- And some security related headers
#- And some security related headers
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
#add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-Content-Type-Options nosniff;
</pre>
</pre>
Comment out the Strict-Transport-Security if you want to have part of your site as non-SSL.  Not recommended!
X-Frame-Options is to deny the use of frames, which is good for security, but you'll find much of existing software still need frames.


=== Attach Certs To Your Site ===  
=== Attach Certs To Your Site ===  
Go to your /etc/tengine/sites-available/ directory and add the following to your first SSL site.
Go to your /etc/tengine/sites-available/ directory and add the following to your first SSL site.
<pre>
<pre>
include                                 /etc/tengine/ssl.conf;
include                       /etc/tengine/ssl.conf;
ssl_dhparam         /etc/ssl/tengine/dhparam4096;
ssl_dhparam       /etc/ssl/tengine/dhparam4096;
ssl_trusted_certificate   /etc/ssl/tengine/startssl_trust_chain.crt;
ssl_trusted_certificate       /etc/ssl/tengine/startssl_trust_chain.crt;
ssl_certificate       /etc/ssl/tengine/ssl-unified.crt;
ssl_certificate       /etc/ssl/tengine/ssl-unified.crt;
ssl_certificate_key       /etc/ssl/tengine/ssl.key;
ssl_certificate_key       /etc/ssl/tengine/ssl.key;
</pre>
</pre>
If you purchased a certificate that work for multiple domains, then these can be the same files for all your sites and you can toss those lines in the above ssl.conf.  In most cases, you will likely have different ssl certificates for different sites and you will likely want to name the files accordingly.
If you purchased a certificate that works for multiple domains, then these can be the same files for all your sites and you can place those lines in the above ssl.conf.  In most cases, you will likely have different ssl certificates for different sites and you will likely want to name the files accordingly.


=== Building SSL Files ===
=== Building SSL Files ===
Now, there are 4 files here for SSL in addition to the one we just included. Let's look at where they come from.
There are 4 files here for SSL in addition to the ssl.conf file you just included.   Follow these steps to create them:


First, you should have a certificate file (ssl.crt in the following), and a key for that file (private_ssl.key).  The header will determine which is which if you named them funny.  Filenames aren't important.  Open the file with ''vi'' and look for the text at the top between '-----' symbols, starting with BEGIN.  If you use ''less'', you won't see the header as ''less'' will attempt to decode the certificate to show you in the information in it.
First, you should have a certificate file (ssl.crt in the example), and a key for that file (private_ssl.key).  The header will determine which is which if you named them funny.  Filenames aren't important.  Open the file with ''vi'' and look for the text at the top between '-----' symbols, starting with BEGIN.  If you use ''less'', you won't see the header as ''less'' will attempt to decode the certificate to show you in the information in it.
* '''CERTFICATE'''  This is a certificate
* '''CERTFICATE'''  This is a certificate
* '''RSA PRIVATE KEY'''  This is your key!
* '''RSA PRIVATE KEY'''  This is your key!
If your KEY has a line that says ENCRYPTED, it's password protected.  
If your KEY has a line that says '''ENCRYPTED''', it is password protected.  
Since you probably don't want to issue a password every time you start your server, let's fix that first.
Since you probably don't want to issue a password every time you start your server, decrypt it with this command.  You will need the password you used to encrypt the key.  If your key does not say ENCRYPTED, you can probably just skip this step.
  {{console|body=openssl rsa -in private_ssl.key -out /etc/ssl/tengine/ssl.key}}
  {{console|body=openssl rsa -in private_ssl.key -out /etc/ssl/tengine/ssl.key}}
Easy enough? And we have one of our files done. Only 3 to go!
That's the first file.  The rest are even easier.


The next is to create a chain of certificates back to the root. For StartSSL, you download their cert:
You want to create a chain of certificates that validate from you back to the root certificates installed in the browser.  You may want to check with your SSL certificate provider. For StartSSL, you download their cert and attach it to your file:
{{console|body=wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem}}
{{console|body=wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem}}
Then make the file you need with your cert and theirs. Here's your next 2 files!
Now make the unified certificate chain you need by combining your certificate and theirs.
{{console|body=cat ssl.crt sub.class1.server.sha2.ca.pem  > /etc/ssl/tengine/ssl-unified.crt
{{console|body=cat ssl.crt sub.class1.server.sha2.ca.pem  > /etc/ssl/tengine/ssl-unified.crt
cp sub.class1.server.sha2.ca.pem /etc/ssl/tengine/startssl_trust_chain.crt}}
cp sub.class1.server.sha2.ca.pem /etc/ssl/tengine/startssl_trust_chain.crt}}
Now, the final command for the final file:
You use DH key parameters to exchange keys securely.  Create this file with the following command:
{{console|body=openssl dhparam -out /etc/ssl/tengine/dhparam4096 4096}}
{{console|body=openssl dhparam -out /etc/ssl/tengine/dhparam4096 4096}}
4096 might be overkill, but 1024 is the minimum and you might as well go all out just in case 1024 gets broken next month!
4096 might be overkill, but 1024 is the minimum and you might as well go all out just in case 1024 gets broken next month!
Line 61: Line 62:
Be sure all these files are secure!
Be sure all these files are secure!
{{console|body=chmod 0600 /etc/ssl/tengine/*}}
{{console|body=chmod 0600 /etc/ssl/tengine/*}}
Delete originals, clean up, then restart tengine.  Repeat the above for each SSL site, giving descriptive names to your output files.
Delete originals, clean up, then restart tengine.  Repeat the above for each SSL site, giving descriptive names to your certificates and keys.
 
=== Test It ===
If you followed the above instructions, you should now have a secure site.  ''Test it!'' on the [https://www.ssllabs.com/|The SSL Labs Test Site].  You should get an '''A+''' rating.  If you don't, go back  and see if you missed anything, using the information from the test report to see what you need to check.
 
=== Further Reading ===
* https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Latest revision as of 07:06, July 24, 2015

Securing Nginx or Tengine with OpenSSL

Getting Started

This guide assumes you already have your Webserver, Package:Tengine or Package:Nginx installed and serving pages on the standard HTTP port. You should also have the Package:OpenSSL installed and an SSL certificate and key file (either self signed or provided by a commercial supplier). If you need a certificate, you can get one free from [1]. These guys will step you through the process of getting the certificate by following the instructions on their site. Follow the installation instructions here.

/etc/tengine/ssl.conf

Put all your SSL configuration into a single file so that you can update it as security issues arise. This way, if you have multiple sites, they can all include the same file and you don't need to try and maintain the information for each site separately.

#- Not sure if both lines needed, but it works
listen                                  [::]:443 ssl;
listen                                  443 ssl;

#- Support current SSL standards and options only
ssl_session_cache			shared:SSL:10m;
ssl_session_timeout			10m;
ssl_protocols TLSv1			TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers               on;
ssl_ciphers                             "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_tickets                     off;
ssl_stapling			        on;
ssl_stapling_verify			on;

#- And some security related headers
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

Comment out the Strict-Transport-Security if you want to have part of your site as non-SSL. Not recommended! X-Frame-Options is to deny the use of frames, which is good for security, but you'll find much of existing software still need frames.

Attach Certs To Your Site

Go to your /etc/tengine/sites-available/ directory and add the following to your first SSL site.

include                        /etc/tengine/ssl.conf;
ssl_dhparam		       /etc/ssl/tengine/dhparam4096;
ssl_trusted_certificate        /etc/ssl/tengine/startssl_trust_chain.crt;
ssl_certificate		       /etc/ssl/tengine/ssl-unified.crt;
ssl_certificate_key	       /etc/ssl/tengine/ssl.key;

If you purchased a certificate that works for multiple domains, then these can be the same files for all your sites and you can place those lines in the above ssl.conf. In most cases, you will likely have different ssl certificates for different sites and you will likely want to name the files accordingly.

Building SSL Files

There are 4 files here for SSL in addition to the ssl.conf file you just included. Follow these steps to create them:

First, you should have a certificate file (ssl.crt in the example), and a key for that file (private_ssl.key). The header will determine which is which if you named them funny. Filenames aren't important. Open the file with vi and look for the text at the top between '-----' symbols, starting with BEGIN. If you use less, you won't see the header as less will attempt to decode the certificate to show you in the information in it.

  • CERTFICATE This is a certificate
  • RSA PRIVATE KEY This is your key!

If your KEY has a line that says ENCRYPTED, it is password protected. Since you probably don't want to issue a password every time you start your server, decrypt it with this command. You will need the password you used to encrypt the key. If your key does not say ENCRYPTED, you can probably just skip this step.

openssl rsa -in private_ssl.key -out /etc/ssl/tengine/ssl.key

That's the first file. The rest are even easier.

You want to create a chain of certificates that validate from you back to the root certificates installed in the browser. You may want to check with your SSL certificate provider. For StartSSL, you download their cert and attach it to your file:

wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem

Now make the unified certificate chain you need by combining your certificate and theirs.

cat ssl.crt sub.class1.server.sha2.ca.pem  > /etc/ssl/tengine/ssl-unified.crt
cp sub.class1.server.sha2.ca.pem /etc/ssl/tengine/startssl_trust_chain.crt

You use DH key parameters to exchange keys securely. Create this file with the following command:

openssl dhparam -out /etc/ssl/tengine/dhparam4096 4096

4096 might be overkill, but 1024 is the minimum and you might as well go all out just in case 1024 gets broken next month!

Be sure all these files are secure!

chmod 0600 /etc/ssl/tengine/*

Delete originals, clean up, then restart tengine. Repeat the above for each SSL site, giving descriptive names to your certificates and keys.

Test It

If you followed the above instructions, you should now have a secure site. Test it! on the SSL Labs Test Site. You should get an A+ rating. If you don't, go back and see if you missed anything, using the information from the test report to see what you need to check.

Further Reading