shorty1483 451 Posted May 10, 2017 Share Posted May 10, 2017 (edited) EDIT: out of interest is there a way in NGINX to set the headers in one place for all my blocks? so far i have to copy and past alot of duplicate stuff to each server block. As far as I know you can put the most stuff into the http block as kind of default setting. If something is different in the server or location block, nginx uses this because it has recursive priority. Edit: Here you see in which blocks you can set the add_header directive http://nginx.org/en/docs/http/ngx_http_headers_module.html Edited May 10, 2017 by shorty1483 Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 10, 2017 Share Posted May 10, 2017 well that would save a whole lot of editing. thanks. Link to comment Share on other sites More sharing options...
Jdiesel 1114 Posted May 10, 2017 Share Posted May 10, 2017 I was using a nginx reserve proxy for a while but decided to simplify my setup so I am now connecting to all my services other than Emby through my VPN. For Emby I am using Letsencrypt certificate with an iptables rule on my linux server to route traffic over port 443 to port 8920. This allows me to connect directly to my server on the default https port through my domain name. I then setup my domain to use Cloudflare and require all IPs located outside my country to require a Captcha. Just ran the test linked above and I get an F however I am not overly concerned about it. I don't know if it was something I was using in my nginx config but my overall performance has been much better since eliminating the reverse proxy. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted May 10, 2017 Author Share Posted May 10, 2017 I was using a nginx reserve proxy for a while but decided to simplify my setup so I am now connecting to all my services other than Emby through my VPN. For Emby I am using Letsencrypt certificate with an iptables rule on my linux server to route traffic over port 443 to port 8920. This allows me to connect directly to my server on the default https port through my domain name. I then setup my domain to use Cloudflare and require all IPs located outside my country to require a Captcha. Just ran the test linked above and I get an F however I am not overly concerned about it. I don't know if it was something I was using in my nginx config but my overall performance has been much better since eliminating the reverse proxy. it may have been a setting... You know cloudflare is an nginx reverse proxy right? Link to comment Share on other sites More sharing options...
Jdiesel 1114 Posted May 10, 2017 Share Posted May 10, 2017 it may have been a setting... You know cloudflare is an nginx reverse proxy right? Nope I had no idea. I seem to be happy with the simpler setup though. If I ever decide to open my other services to the internet again I'll likely revisit a nginx reverse proxy. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted May 10, 2017 Author Share Posted May 10, 2017 Nope I had no idea. I seem to be happy with the simpler setup though. If I ever decide to open my other services to the internet again I'll likely revisit a nginx reverse proxy. Oh for sure, yea I wasn't knocking your simpler setup and happiness Sorry if it came off like that.. I was just saying that's how cloudflare is able to hide IP's, change headers, cache, and all of that good stuff while only having a handful of server IP's, they actually run nginx as a very busy reverse proxy.. A lot of people don't realize that. They think its a regular CDN. Link to comment Share on other sites More sharing options...
Jdiesel 1114 Posted May 11, 2017 Share Posted May 11, 2017 Oh for sure, yea I wasn't knocking your simpler setup and happiness Sorry if it came off like that.. I was just saying that's how cloudflare is able to hide IP's, change headers, cache, and all of that good stuff while only having a handful of server IP's, they actually run nginx as a very busy reverse proxy.. A lot of people don't realize that. They think its a regular CDN. No problem I didn't take it that way at all. My knowledge of this stuff is quite limited and I haven't had the time to do my own research. Link to comment Share on other sites More sharing options...
Guest asrequested Posted May 11, 2017 Share Posted May 11, 2017 Surprise! Surprise! I got an F. I feel so proud! Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 Finally managed to get a A+ rating. - i found this site helpful in creating the HPKP hashes. - https://report-uri.io/home/pkp_hash Also i read that its good to have a backup hash. not sure how to create backups, whats the worst that could happen? if my hashes stop working i could just remove them. 1 Link to comment Share on other sites More sharing options...
shorty1483 451 Posted May 11, 2017 Share Posted May 11, 2017 Also i read that its good to have a backup hash. not sure how to create backups, whats the worst that could happen? if my hashes stop working i could just remove them. This is why you create the backup hash from e.g. your Let's Encrypt intermediate cert or root cert. They have a longer runtime than your domain cert. Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 so i have 3 hashes. which were extracted from my site using the hpkp generator. my own cert hash intermediate (lets encrypt authority) Root CA (DST root) on the website checker i get an A+ but a warning saying i dont have a backup HPKP Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 after doing some more reading on the risks of using HPKP not sure if i will bother with it. Its nice to have the A+ green grade but with the potential of losing access to all my sites.... i even set the maxage to much lower however it drops my score anyway. 1 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted May 11, 2017 Author Share Posted May 11, 2017 after doing some more reading on the risks of using HPKP not sure if i will bother with it. Its nice to have the A+ green grade but with the potential of losing access to all my sites.... i even set the maxage to much lower however it drops my score anyway. Yes that is why I have not done this yet either..... I run through cloudflare reverse proxy, and my nginx reverse proxy also has ssl... So if cloudflare goes down or I move away from it, I would go from their ssl to my own again, what happens in that situation? Could I pin more than one ssl? probably I just dont know enough about it yet myself. Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 ye from what i understand you can pin as many as you want. so i have my cert, lets encrypt intermediate and DST CA root all as hashes. if i change my cert then the hash changes but the hash for the intermediate and CA root stay the same. The web browser only needs to authenticate against one of the hashes not all of them. in theory as long as you renew the lets encrypt cert every 90 days rather than getting a new cert then the Hashes should stay the same. If you did need a new cert, you would leave your old cert hashes but also add your new cert hashes. only remove the old Hashes after they have expired so what ever you have set the max age to. Something i havent tested yet. Setting a low maxage gets around the risk but isnt as secure as a long max age. for testing i set a maxage of 1 hour, that way if theres problems with the hashes or my cert then i would leave it an hour and i would be back up and running. i think most security sites recommend at least 30 days maxage. The link below is to a site which had HPKP issues after changing their cert. they had a maxage of 1 year.... it could have been a major issue as no one could access their site and it might of been that way for 1 year. https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/ For now i have removed key pinning as my cert is due for renewal in 40 days, dont want the hassle of any problems. I might just set a very low maxage with add_header private-key-pinning-report-only. see what happens Link to comment Share on other sites More sharing options...
Guest asrequested Posted May 11, 2017 Share Posted May 11, 2017 (edited) You guys are obsessed! A little OCD creeping I? I love it, lol Edited May 11, 2017 by Doofus Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 Haha I know, there's no need for all this security but it's something to do in the evenings Sent from my iPhone using Tapatalk 1 Link to comment Share on other sites More sharing options...
Guest asrequested Posted May 11, 2017 Share Posted May 11, 2017 (edited) See, that's why I'm not looking into mine. I have a tendency to obsess lol Edited May 11, 2017 by Doofus Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 @ are you using NGINX? if so its straight forward enough to get from an F grade to B+/A Link to comment Share on other sites More sharing options...
Guest asrequested Posted May 11, 2017 Share Posted May 11, 2017 (edited) I'm not using any proxy, although I do have a VPN, that I use for "stuff". So here's a question for you guys. What is/are the benefits of using one? Edited May 11, 2017 by Doofus Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 well it negates the need for a VPN or allows you to have a second way to access what you need. you only have to have the default ports open on your router, so in my case only port 443. i can then close all the other ports to emby, plex, sonarr, radarr, etc etc. better security. it allows you to run your own certs more effectively and add additional security. if you have multiple boxes on your LAN, you only have to have one that is web fronted. all the others can hide behind it on your LAN. Link to comment Share on other sites More sharing options...
Guest asrequested Posted May 11, 2017 Share Posted May 11, 2017 Hmm... I may have to look into this. And welcome the obsession Link to comment Share on other sites More sharing options...
Guest asrequested Posted May 11, 2017 Share Posted May 11, 2017 You know I'll have 1,001 questions. Link to comment Share on other sites More sharing options...
CBers 6771 Posted May 11, 2017 Share Posted May 11, 2017 Hmm... I may have to look into this. And welcome the obsession I'm trying to resist Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 Just do it. You will see the benefits as soon as you get it up and running. I can give you a whole config. You only need to change the ssl cert location and the IP/port numbers and you will instantly have a fully working reverse proxy with an A grade security rating. Sent from my iPad using Tapatalk Link to comment Share on other sites More sharing options...
Guest asrequested Posted May 11, 2017 Share Posted May 11, 2017 I'm trying to resist It's futile. See, I'm turning into a Borg.. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now