pir8radio 1301 Posted May 9, 2017 Share Posted May 9, 2017 (edited) I found this site https://www.htbridge.com/websec/ it does a pretty thorough web server security test.. I was getting A+'s on regular SSL testing, and got an "F" on the above site lol... So I fixed all of the issues except for SSL pinning (which I don't want to fix at the moment). I'm up to an A, @@Swynol would be proud! I just like the challenge of these tests, thought I would share see how others with a reverse proxy were doing. I know the hardware section is kind of a "show off your work" area. Edited May 9, 2017 by pir8radio 1 Link to comment Share on other sites More sharing options...
shorty1483 477 Posted May 9, 2017 Share Posted May 9, 2017 I found this site https://www.htbridge.com/websec/ it does a pretty thorough web server security test.. I was getting A+'s on regular SSL testing, and got an "F" on the above site lol... So I fixed all of the issues except for SSL pinning (which I don't want to fix at the moment). I'm up to an A, @@Swynol would be proud! I just like the challenge of these tests, thought I would share see how others with a reverse proxy were doing. I know the hardware section is kind of a "show off your work" area. I stopped taking this test seriously when it told me that abandoning everything except TLS1.2 is a misconfiguration or weakness. Link to comment Share on other sites More sharing options...
pir8radio 1301 Posted May 9, 2017 Author Share Posted May 9, 2017 (edited) I stopped taking this test seriously when it told me that abandoning everything except TLS1.2 is a misconfiguration or weakness.Lol sorry I actually meant to tag you in that post shorty, I was trying to make you proud! Swynol sorry. Lol Yes I understand most of these testing site seem to be pushing someone's agenda of the latest and greatest and only that... Edited May 9, 2017 by pir8radio Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 (edited) oh god i'm getting an F are you testing your subdomains individually? i.e. did you get an A on your emby server? Edited May 9, 2017 by Swynol Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 damn you, now going to spend hours trying to get a better rating..... STRICT-TRANSPORT-SECURITY - The header was not sent by the server. PUBLIC-KEY-PINS - The header was not sent by the server X-FRAME-OPTIONS - the header value is not consistent with Content-Security-Policy. Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 (edited) adding these to all my location blocks add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; and adding this to my HTTP block server_tokens off; and adding a default server listening block to redirect HTTP to HTTPS rather than having each of my services handling their own redirect raised me from a F to a B- ## Defaut Listenning ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } now need to look at HSTS, that should raise me to an A Edited May 9, 2017 by Swynol 1 Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 up to a B+ on all my services now.... havent done HTTP pinning yet. does anyone know if i do pinning, when my cert changes after 90 days (letsencrypt) do i have to change the pinning? Link to comment Share on other sites More sharing options...
shorty1483 477 Posted May 9, 2017 Share Posted May 9, 2017 (edited) Lol sorry I actually meant to tag you in that post shorty, I was trying to make you proud! Swynol sorry. Lol Yes I understand most of these testing site seem to be pushing someone's agenda of the latest and greatest and only that... You're right. As a basic guideline the tests are still pretty good. BTW: "A+" ( @@Swynol ) for my public available Nextcloud and Router interface, an "A" for my usually LAN internal Emby server. Edit: Sometimes I think we are the only 3 security analysts here Edited May 9, 2017 by shorty1483 Link to comment Share on other sites More sharing options...
shorty1483 477 Posted May 9, 2017 Share Posted May 9, 2017 (edited) up to a B+ on all my services now.... havent done HTTP pinning yet. does anyone know if i do pinning, when my cert changes after 90 days (letsencrypt) do i have to change the pinning? If you just renew the cert, the HTTP Public Key Pin remains the same. Additionally you need to define at least minimum one secondary/backup pin. In my conf I used 3 hashes. First the ones of my two site certs (RSA and ECDSA) and as third hash the intermediate from Let's Encrypt. The intermediate takes care of reaching the site if for some reasons you forget to renew your site certs. add_header Public-Key-Pins 'pin-sha256="HASH_ECDSA"; pin-sha256="HASH_RSA"; pin-sha256="HASH_INTERMEDIATE"; max-age=5184000; includeSubDomains'; To get an A+, it seems you need to set avery strict Content-Security-Policy. I did not try it, but in Emby I guess you need to specify all external sources like github, google fonts etc for the different content types to have it working. Edited May 9, 2017 by shorty1483 1 Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 i get a strange issue with the x-frame. any idea's on how i can improve this? this is my emby config ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://192.168.10.10:8096; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header 'Referrer-Policy' 'no-referrer'; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; add_header Content-Security-Policy "frame-ancestors emby.mydomain.com;"; } } Link to comment Share on other sites More sharing options...
pir8radio 1301 Posted May 9, 2017 Author Share Posted May 9, 2017 @@Swynol you are doing exactly what I did last night... lol learning about all of this crap I never even thought about. I do not have 'always' on any of my headers. Not sure why yours is unhappy.... Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 If you just renew the cert, the HTTP Public Key Pin remains the same. Additionally you need to define at least minimum one secondary/backup pin. In my conf I used 3 hashes. First the ones of my two site certs (RSA and ECDSA) and as third hash the intermediate from Let's Encrypt. The intermediate takes care of reaching the site if for some reasons you forget to renew your site certs. add_header Public-Key-Pins 'pin-sha256="HASH_ECDSA"; pin-sha256="HASH_RSA"; pin-sha256="HASH_INTERMEDIATE"; max-age=5184000; includeSubDomains'; To get an A+, it seems you need to set avery strict Content-Security-Policy. I did not try it, but in Emby I guess you need to specify all external sources like github, google fonts etc for the different content types to have it working. sorry for being think. i'm new to this stuff. so i have my cert.pem which contains my cert and ca. i created a hash from it. so this is my intermediate. how do i get a ECDSA and RSA hashes? Link to comment Share on other sites More sharing options...
chef 3763 Posted May 9, 2017 Share Posted May 9, 2017 I got an F 1 Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 @@Swynol you are doing exactly what I did last night... lol learning about all of this crap I never even thought about. I do not have 'always' on any of my headers. Not sure why yours is unhappy.... haha. ye i want that A grade... removed always and made no difference. Link to comment Share on other sites More sharing options...
CBers 6882 Posted May 9, 2017 Share Posted May 9, 2017 Sometimes I think we are the only 3 security analysts here Cos you're the only ones that understands this sh1t Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 i havent got a clue. i'm just copying and pasting what pir8radio and shorty tell me haha. its interesting stuff. there must be a huge number of websites out there open to attack because they "overlook" these types of security 2 Link to comment Share on other sites More sharing options...
Guest asrequested Posted May 9, 2017 Share Posted May 9, 2017 Oh god! Now I'm gonna have to test mine, too lol 2 Link to comment Share on other sites More sharing options...
pir8radio 1301 Posted May 9, 2017 Author Share Posted May 9, 2017 Cos you're the only ones that understands this sh1t i havent got a clue. i'm just copying and pasting what pir8radio and shorty tell me haha. its interesting stuff. there must be a huge number of websites out there open to attack because they "overlook" these types of security Uhh.... I read it on the internet so it has to be true...... lol, like I said I just like the challenge of these "tests". Link to comment Share on other sites More sharing options...
pir8radio 1301 Posted May 9, 2017 Author Share Posted May 9, 2017 and you are absolutely correct, run that test on big websites, you will find most of them fail as well... So, I dont know if that means the tests are BS or the internet is going to blow up..... Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 this is another site i have been using. i prefer this one as it gives me a nice green A https://securityheaders.io/ 2 Link to comment Share on other sites More sharing options...
CBers 6882 Posted May 9, 2017 Share Posted May 9, 2017 So I assume you are using nginx as a reverse proxy with SSL certs? Then you have Emby and other services configured in nginx? Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 9, 2017 Share Posted May 9, 2017 So I assume you are using nginx as a reverse proxy with SSL certs? Then you have Emby and other services configured in nginx? ye thats right, can be done with nginx or apache. Link to comment Share on other sites More sharing options...
CBers 6882 Posted May 9, 2017 Share Posted May 9, 2017 ye thats right, can be done with nginx or apache. I remember using XAMPP when I ran a NEWZNAB server, so it can't that different Link to comment Share on other sites More sharing options...
shorty1483 477 Posted May 10, 2017 Share Posted May 10, 2017 sorry for being think. i'm new to this stuff. so i have my cert.pem which contains my cert and ca. i created a hash from it. so this is my intermediate. how do i get a ECDSA and RSA hashes? The certificate for your domain/subdomain is signed with a private key file. This one is an ECDSA or RSA key. When you use Let's Encrypt without an own Cert Request and ECDSA key, you have a RSA cert+key because that's the default in Let's Encrypt. Additionally you have a ca bundle from Let's Encrypt with the intermediate. My case is a special one because I generated the same cert two times with differt key formats to offer mximum compabilty for devices since ECDSA is faster than RSA in SW mode. Now you generate the hash from your certificate: openssl x509 -in yourdomaincert.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 After that you take the ca bundle with thew intermediate and extract the hash also: openssl x509 -in ca_bundle.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 Now take the two hashes and put them into the nginx command from the other post. Good basic tut: https://gist.github.com/esurdam/ef72f1c47be7c074499cb920683bd307 Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 10, 2017 Share Posted May 10, 2017 (edited) wow thanks for the explanation, starting to make sense now. ye i have my cert hash and the ca_bundle hash. wasnt sure how to get the ECDSA. i do have a lets encrypt CSR EDIT: out of interest is there a way in NGINX to set the headers in one place for all my blocks? so far i have to copy and past alot of duplicate stuff to each server block. Edited May 10, 2017 by Swynol Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now