Jump to content

Nginx and Roku/Firestick Cipher Question

Tech127

By Tech127
in General/Windows

 Share

Recommended Posts

Tech127

Tech127 20

Posted
Posted (edited)

I finally have nginx and cloudflare setup and happy. Mostly. Everything works fine when remotely accessing Emby from a laptop or iPhone. The problem is with Roku or Firestick. Using the following lines in SSL.conf breaks them both: 

ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

If I comment these two lines, they work fine again but it seems like I'm compromising security.

I'm new to nginx and still doing research, but I can't find anything on this particular issue. What exactly doesn't it like, and what can I do to fix it without creating vulnerabilities?

Edited by TechLife
Tech127

Tech127 20

Posted
  • Author
Posted

Well, I *think* I got lucky and was able to fix it by enabling HSTS for the main and all subdomains. If anyone has any input, I'd love to hear it.

Happy2Play

Happy2Play 9788

Posted
Posted

@pir8radio Do you have any insight on this?

pir8radio

pir8radio 1313

Posted
Posted (edited)

HSTS shouldn't have done anything different but forced ssl.   You said you have "nginx and cloudflare" working..    Cloudflare is doing your SSL so any ssl settings you do in nginx is only for the cloudflare to origin link..   make sure cloudflare supports the ciphers you are trying to force:  https://support.cloudflare.com/hc/en-us/articles/203041594-Cloudflare-SSL-cipher-browser-and-protocol-support

The first section goes over supported origin ciphers.

 

 

Edited by pir8radio
Tech127

Tech127 20

Posted
  • Author
Posted

Thanks for the reply @pir8radio. I don’t know why HSTS made it work, I just know it did. Is HSTS necessary? It seems to have angered securityheaders because they dropped me to a B as soon as it was enabled.  More importantly, you mentioned that my config is forcing ciphers.  With this only affecting the connection between Cloudflare and my server, and Nginx only allowing connections from their IPs, is it even necessary?

pir8radio

pir8radio 1313

Posted
Posted
On 9/9/2020 at 11:37 PM, TechLife said:

Thanks for the reply @pir8radio. I don’t know why HSTS made it work, I just know it did. Is HSTS necessary? It seems to have angered securityheaders because they dropped me to a B as soon as it was enabled.  More importantly, you mentioned that my config is forcing ciphers.  With this only affecting the connection between Cloudflare and my server, and Nginx only allowing connections from their IPs, is it even necessary?

there is an option in cloudflare to enable HSTS as well..   Having it in nginx will still pass through cloudflare and tell the client to use HSTS..   but the actual encryption you employ on your nginx server will only be used by the cloudflare servers, they will decrypt and then re-encrypt it using their settings.    You probably now get a B grade due to how long you cache "Max-age" settings are probably too low...  and that ok.     if you want to enable HSTS in cloudflare is under ssl/tls - Edge Certificates - Enable HSTS    but if it works the way you are you might be fine.  does it say why you now get a B grade? What test site are you using?

Tech127

Tech127 20

Posted
  • Author
Posted
36 minutes ago, pir8radio said:

there is an option in cloudflare to enable HSTS as well..   Having it in nginx will still pass through cloudflare and tell the client to use HSTS..   but the actual encryption you employ on your nginx server will only be used by the cloudflare servers, they will decrypt and then re-encrypt it using their settings.    You probably now get a B grade due to how long you cache "Max-age" settings are probably too low...  and that ok.     if you want to enable HSTS in cloudflare is under ssl/tls - Edge Certificates - Enable HSTS    but if it works the way you are you might be fine.  does it say why you now get a B grade? What test site are you using?

I should have been more specific. It was after enabling HSTS on CloudFlare that the Roku and Firestick began working.

I increased the max-age to 2592000 on cloudflare and I'm back to an A.

I removed the SSL lines above and am just letting cloudflare handle the connection between their servers and mine. Please tell me if this is a bad idea and I need to change it.

Now the only things it's complaining about are: 

Access-Control-Allow-Origin	*

Permissions-Policy	Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.

Access-Control-Allow-Origin	This is a very lax CORS policy. Such a policy should only be used on a public CDN.

All of which I'm working on, but if you can point me in the right direction, like does this need to change in nginx, cloudflare, or both, would be greatly appreciated!

BTW, I'm using securityheaders.com for testing. I'm happy to try another if you recommend or I can just PM my site address if you want to see it yourself

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...