SSL and Security Quality

[shorty1483 451]

 

EDIT: out of interest is there a way in NGINX to set the headers in one place for all my blocks? so far i have to copy and past alot of duplicate stuff to each server block.

 

As far as I know you can put the most stuff into the http block as kind of default setting. If something is different in the server or location block, nginx uses this because it has recursive priority.

 

 

Edit: Here you see in which blocks you can set the add_header directive http://nginx.org/en/docs/http/ngx_http_headers_module.html

Edited May 10, 2017 by shorty1483

[Swynol 375]

well that would save a whole lot of editing. thanks.

[Jdiesel 1114]

I was using a nginx reserve proxy for a while but decided to simplify my setup so I am now connecting to all my services other than Emby through my VPN. For Emby I am using Letsencrypt certificate with an iptables rule on my linux server to route traffic over port 443 to port 8920. This allows me to connect directly to my server on the default https port through my domain name. I then setup my domain to use Cloudflare and require all IPs located outside my country to require a Captcha. Just ran the test linked above and I get an F however I am not overly concerned about it. I don't know if it was something I was using in my nginx config but my overall performance has been much better since eliminating the reverse proxy.

[pir8radio 1292]

I was using a nginx reserve proxy for a while but decided to simplify my setup so I am now connecting to all my services other than Emby through my VPN. For Emby I am using Letsencrypt certificate with an iptables rule on my linux server to route traffic over port 443 to port 8920. This allows me to connect directly to my server on the default https port through my domain name. I then setup my domain to use Cloudflare and require all IPs located outside my country to require a Captcha. Just ran the test linked above and I get an F however I am not overly concerned about it. I don't know if it was something I was using in my nginx config but my overall performance has been much better since eliminating the reverse proxy.

 

it may have been a setting...   You know cloudflare is an nginx reverse proxy right?  

[Jdiesel 1114]

it may have been a setting... You know cloudflare is an nginx reverse proxy right?

Nope I had no idea. I seem to be happy with the simpler setup though. If I ever decide to open my other services to the internet again I'll likely revisit a nginx reverse proxy.

[pir8radio 1292]

Nope I had no idea. I seem to be happy with the simpler setup though. If I ever decide to open my other services to the internet again I'll likely revisit a nginx reverse proxy.

 

Oh for sure, yea I wasn't knocking your simpler setup and happiness    Sorry if it came off like that..   I was just saying that's how cloudflare is able to hide IP's, change headers, cache, and all of that good stuff while only having a handful of server IP's, they actually run nginx as a very busy reverse proxy..  A lot of people don't realize that.   They think its a regular CDN. 

[Jdiesel 1114]

Oh for sure, yea I wasn't knocking your simpler setup and happiness Sorry if it came off like that.. I was just saying that's how cloudflare is able to hide IP's, change headers, cache, and all of that good stuff while only having a handful of server IP's, they actually run nginx as a very busy reverse proxy.. A lot of people don't realize that. They think its a regular CDN.

No problem I didn't take it that way at all. My knowledge of this stuff is quite limited and I haven't had the time to do my own research​.

[Guest asrequested]

Surprise! Surprise! I got an F. I feel so proud!

[Swynol 375]

Finally managed to get a A+ rating. 

 

- i found this site helpful in creating the HPKP hashes. - https://report-uri.io/home/pkp_hash

 

Also i read that its good to have a backup hash. not sure how to create backups, whats the worst that could happen? if my hashes stop working i could just remove them.

[shorty1483 451]

 

 

Also i read that its good to have a backup hash. not sure how to create backups, whats the worst that could happen? if my hashes stop working i could just remove them.

 

This is why you create the backup hash from e.g. your Let's Encrypt intermediate cert or root cert. They have a longer runtime than your domain cert.

[Swynol 375]

so i have 3 hashes. which were extracted from my site using the hpkp generator.

 

my own cert hash

intermediate (lets encrypt authority)

Root CA (DST root)

 

on the website checker i get an A+ but a warning saying i dont have a backup HPKP

[Swynol 375]

after doing some more reading on the risks of using HPKP not sure if i will bother with it. Its nice to have the A+ green grade but with the potential of losing access to all my sites....

 

i even set the maxage to much lower however it drops my score anyway.

[pir8radio 1292]

after doing some more reading on the risks of using HPKP not sure if i will bother with it. Its nice to have the A+ green grade but with the potential of losing access to all my sites....

 

i even set the maxage to much lower however it drops my score anyway.

 

Yes that is why I have not done this yet either.....  I run through cloudflare reverse proxy, and my nginx reverse proxy also has ssl...   So if cloudflare goes down or I move away from it, I would go from their ssl to my own again, what happens in that situation?  Could I pin more than one ssl?  probably I just dont know enough about it yet myself.

[Swynol 375]

ye from what i understand you can pin as many as you want.

 

so i have my cert, lets encrypt intermediate and DST CA root all as hashes. if i change my cert then the hash changes but the hash for the intermediate and CA root stay the same. The web browser only needs to authenticate against one of the hashes not all of them.

 

in theory as long as you renew the lets encrypt cert every 90 days rather than getting a new cert then the Hashes should stay the same. If you did need a new cert, you would leave your old cert hashes but also add your new cert hashes. only remove the old Hashes after they have expired so what ever you have set the max age to. Something i havent tested yet.

 

Setting a low maxage gets around the risk but isnt as secure as a long max age. for testing i set a maxage of 1 hour, that way if theres problems with the hashes or my cert then i would leave it an hour and i would be back up and running. i think most security sites recommend at least 30 days maxage. 

 

The link below is to a site which had HPKP issues after changing their cert. they had a maxage of 1 year.... it could have been a major issue as no one could access their site and it might of been that way for 1 year. 

 

https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/

 

 

For now i have removed key pinning as my cert is due for renewal in 40 days, dont want the hassle of any problems. I might just set a very low maxage with add_header private-key-pinning-report-only. see what happens

[Guest asrequested]

You guys are obsessed! A little OCD creeping I? I love it, lol

Edited May 11, 2017 by Doofus

[Swynol 375]

Haha I know, there's no need for all this security but it's something to do in the evenings

 

 

Sent from my iPhone using Tapatalk

[Guest asrequested]

See, that's why I'm not looking into mine. I have a tendency to obsess lol

Edited May 11, 2017 by Doofus

[Swynol 375]

@ are you using NGINX? if so its straight forward enough to get from an F grade to B+/A

[Guest asrequested]

I'm not using any proxy, although I do have a VPN, that I use for "stuff".

 

So here's a question for you guys. What is/are the benefits of using one?

Edited May 11, 2017 by Doofus

[Swynol 375]

well it negates the need for a VPN or allows you to have a second way to access what you need.

 

you only have to have the default ports open on your router, so in my case only port 443. i can then close all the other ports to emby, plex, sonarr, radarr, etc etc. better security. it allows you to run your own certs more effectively and add additional security. if you have multiple boxes on your LAN, you only have to have one that is web fronted. all the others can hide behind it on your LAN.

[Guest asrequested]

Hmm... I may have to look into this. And welcome the obsession

[Guest asrequested]

You know I'll have 1,001 questions.

[CBers 6771]

Hmm... I may have to look into this. And welcome the obsession

I'm trying to resist

[Swynol 375]

Just do it. You will see the benefits as soon as you get it up and running. I can give you a whole config. You only need to change the ssl cert location and the IP/port numbers and you will instantly have a fully working reverse proxy with an A grade security rating.

 

 

Sent from my iPad using Tapatalk

[Guest asrequested]

I'm trying to resist

It's futile. See, I'm turning into a Borg..