From 629c94ddfc90d4e145a3999b7de471a001cc7a0e Mon Sep 17 00:00:00 2001 From: ajvn Date: Thu, 31 Jan 2019 21:53:08 +0100 Subject: [PATCH 1/9] Added nginx content - Adjusted Table of contents to separate Nginx from Apache, as config examples are provided - signed-off-by: ajvn --- README.md | 256 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 253 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 39feb4e..c543f78 100644 --- a/README.md +++ b/README.md @@ -144,16 +144,17 @@ If you want to support another repository containing **hardening** recipes, plea + [Bind9](#bind9) * [Mail services](#mail-services) + [Postfix](#postfix) - * [Web services](#web-services) +- **[Web services](#web-services)** + [Nginx](#nginx) - + [Apache](#apache) - + [Securing and tuning HTTP/HTTPS protocols](#securing-and-tuning-http-https-protocols) + - [Files and directories permissions](#files-and-directories-permissions) - [Use HTTPS](#use-https) - [Enable HTTP2](#enable-http2) + - [Diffie Hellman Ephemeral Parameter](#diffie-hellman-ephemeral-parameter) - [Separate domains](#separate-domains) - [Redirect all unencrypted traffic to HTTPS](#redirect-all-unencrypted-traffic-to-https) - [Enable HTTP Strict Transport Security](#enable-http-strict-transport-security) - [Security related headers](#security-related-headers) + + [Apache](#apache) * [Databases](#databases) + [PostgreSQL](#postgresql) + [MySQL](#mysql) @@ -630,3 +631,252 @@ Run the following command to disable cups: ``` [Source](http://www.cups.org) + +## Web services + +### Nginx +Nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by [Igor Sysoev](http://sysoev.ru/en/). +It's used worldwide, and is one best tools at what it does. Default configuration that comes with it, however, is not very security oriented, and it requires some work to set it up properly. That's what this section aims to help you with. + +[Source](https://nginx.org/en/) +#### Files and directories permissions + +Usually setting directories permissions to `0755` and file permissions to `0644` is a good practise. +`0755` permissions for directories allows nginx user to access files in the folder, however you don't want to grant same type of permissions to a file, as granting execution permissions to a file is not a good idea, especially on a publicly exposed server. + +Script for setting all directories permissions to `0755` (here we assume that webserver directory path is `/var/www/html`): + +```find /var/www/html -type d -exec chmod 755 {} \;``` + +Script for setting all files permissions to `0644`: + +```find /var/www/html -type f -exec chmod 644 {} \;``` + +Whatever you do, never grant `0777` permissions to files, nor folders. + + +##### Use HTTPS +In this day and age, with services like [Let's Encrypt](https://letsencrypt.org/), there's no excuse not to use HTTPS for your website. + +This example configuration also includes stronger cihper suite, ssl session adjustments, HSTS header, stronger DHE parameter, and OSCP Stapling. +**Example of a decent HTTPS config with HTTP to HTTPS redirection:** + +``` +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name example.com; + + return 301 https://$host$request_uri; + server_tokens off; +} + +server { + listen 443 ssl default_server; + listen [::]:443 ssl; + + server_name example.com; + server_tokens off; + + ssl on; + ssl_certificate /etc/nginx/ssl/ssl-bundle.crt; + ssl_certificate_key /etc/nginx/ssl/cert.key; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; +} +``` + +[Source](https://mozilla.github.io/server-side-tls/ssl-config-generator/) +#### Enable HTTP/2 +HTTP/2 is a replacement for how HTTP is expressed “on the wire.” It is not a ground-up rewrite of the protocol; HTTP methods, status codes and semantics are the same, and it should be possible to use the same APIs as HTTP/1.x (possibly with some small additions) to represent the protocol. + +[Source](https://http2.github.io/) + +**Differences between HTTP/2 and HTTP/1.1:** + +At a high level, HTTP/2: + + + +[Source](https://http2.github.io/faq/#what-are-the-key-differences-to-http1x) + +**Example config that enables HTTP/2:** + +``` +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name example.com; + + return 301 https://$host$request_uri; + server_tokens off; +} + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2; + + server_name example.com; + server_tokens off; + + ssl on; + ssl_certificate /etc/nginx/ssl/ssl-bundle.crt; + ssl_certificate_key /etc/nginx/ssl/cert.key; +} +``` + +#### Separate domains + +In case you have more than one website you'd like to serve from your server, nginx allows you to that. + +In this example we'll have 2 different websites, with 2 different domains, served from same virtual machine. + +**Example config that allows you to serve two websites with two different domains:** + +``` +server { + listen 80; + listen [::]:80; + server_name first-example.com; + + root /var/www/html/website1; + index index.html; + server_tokens off; + + location / { + try_files $uri $uri/ =404; + } + +} + +server { + listen 80; + listen [::]:80; + server_name second-example.com; + + root /var/www/html/website2; + index index.html; + server_tokens off; + + location / { + try_files $uri $uri/ =404; + } +} +``` + +#### Redirect all unencrypted traffic to HTTPS + +This config entry is responsible for permanently redirecting all HTTP traffic to HTTPS. It will redirect all visitors that try to access website through HTTP on port 80, to HTTPS on port 443: +`return 301 https://$host$request_uri;` + +**Example config:** + +``` +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name example.com; + + return 301 https://$host$request_uri; + server_tokens off; +} + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2; + + server_name example.com; + server_tokens off; + + ssl on; + ssl_certificate /etc/nginx/ssl/ssl-bundle.crt; + ssl_certificate_key /etc/nginx/ssl/cert.key; +} +``` + +#### Enable HTTP Strict Transport Security + +**What is HSTS?** + +HTTPS (HTTP encrypted with SSL or TLS) is an essential part of the measures to secure traffic to a website, making it very difficult for an attacker to intercept, modify, or fake traffic between a user and the website. + +When a user enters a web domain manually (providing the domain name without the http:// or https:// prefix) or follows a plain http:// link, the first request to the website is sent unencrypted, using plain HTTP. Most secured websites immediately send back a redirect to upgrade the user to an HTTPS connection, but a well‑placed attacker can mount a man‑in‑the‑middle (MITM) attack to intercept the initial HTTP request and can control the user’s session from then on. + +[Source](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) + +Config entry : +`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` + +**Example config** + +``` +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name example.com; + + return 301 https://$host$request_uri; + server_tokens off; +} + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2; + + server_name example.com; + server_tokens off; + + ssl on; + ssl_certificate /etc/nginx/ssl/ssl-bundle.crt; + ssl_certificate_key /etc/nginx/ssl/cert.key; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +} +``` +#### Diffie Hellman Ephemeral Parameter +All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange. +This example aims to generate stronger DHE parameter: +``` +cd /etc/nginx/ssl/ +openssl dhparam -out dhparam.pem 4096 +``` +Then add it to your nginx config with this config entry: +``` +ssl_dhparam /etc/nginx/ssl/dhparam.pem; +``` +[Source](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html) + +#### Security related headers + +Cross-site scripting (XSS) protection: +Helps with preventing XSS attacks, it's enabling cross-site scripting filter built into modern browsers. +`add_header x-xss-protection "1; mode=block" always;` + +X-Frame-Options: +Prevents iframe loading from different websites: +`add_header x-frame-options "SAMEORIGIN" always;` + +X-Content-Type-Options: +It helps reducing drive-by downloads: +`add_header X-Content-Type-Options "nosniff" always;` + + +HTTP Strict Transport Security (HSTS): +When a browser sees this header from an HTTPS website, it “learns” that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the max-age period (typically 31,536,000 seconds, equal to about 1 year). +`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` + +[Source 1](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) +[Source 2](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project) \ No newline at end of file From d82197ae70611ab3d5f11200759eed879be5520e Mon Sep 17 00:00:00 2001 From: ajvn Date: Thu, 31 Jan 2019 21:56:22 +0100 Subject: [PATCH 2/9] Adjusted Table of Content - signed-off-by: ajvn --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c543f78..88f09cd 100644 --- a/README.md +++ b/README.md @@ -155,7 +155,7 @@ If you want to support another repository containing **hardening** recipes, plea - [Enable HTTP Strict Transport Security](#enable-http-strict-transport-security) - [Security related headers](#security-related-headers) + [Apache](#apache) - * [Databases](#databases) +- **[Databases](#databases)** + [PostgreSQL](#postgresql) + [MySQL](#mysql) + [Redis](#redis) From dda1b7251f0f901feaa8b14cd019e4d59893d4d9 Mon Sep 17 00:00:00 2001 From: ajvn Date: Thu, 31 Jan 2019 21:58:25 +0100 Subject: [PATCH 3/9] Title adjustments - signed-off-by: ajvn --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 88f09cd..d9f714d 100644 --- a/README.md +++ b/README.md @@ -144,7 +144,7 @@ If you want to support another repository containing **hardening** recipes, plea + [Bind9](#bind9) * [Mail services](#mail-services) + [Postfix](#postfix) -- **[Web services](#web-services)** + * [Web services](#web-services) + [Nginx](#nginx) - [Files and directories permissions](#files-and-directories-permissions) - [Use HTTPS](#use-https) @@ -155,7 +155,7 @@ If you want to support another repository containing **hardening** recipes, plea - [Enable HTTP Strict Transport Security](#enable-http-strict-transport-security) - [Security related headers](#security-related-headers) + [Apache](#apache) -- **[Databases](#databases)** + * [Databases](#databases) + [PostgreSQL](#postgresql) + [MySQL](#mysql) + [Redis](#redis) From e17bfd6855fcbd6fefc0145ae2d160be8288b3b7 Mon Sep 17 00:00:00 2001 From: ajvn Date: Thu, 31 Jan 2019 22:01:47 +0100 Subject: [PATCH 4/9] Table of Content and titles edit - signed-off-by: ajvn --- README.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index d9f714d..e75c3c7 100644 --- a/README.md +++ b/README.md @@ -632,14 +632,14 @@ Run the following command to disable cups: [Source](http://www.cups.org) -## Web services +### Web services ### Nginx Nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by [Igor Sysoev](http://sysoev.ru/en/). It's used worldwide, and is one best tools at what it does. Default configuration that comes with it, however, is not very security oriented, and it requires some work to set it up properly. That's what this section aims to help you with. [Source](https://nginx.org/en/) -#### Files and directories permissions +#### :eight_pointed_black_star: Files and directories permissions Usually setting directories permissions to `0755` and file permissions to `0644` is a good practise. `0755` permissions for directories allows nginx user to access files in the folder, however you don't want to grant same type of permissions to a file, as granting execution permissions to a file is not a good idea, especially on a publicly exposed server. @@ -655,7 +655,7 @@ Script for setting all files permissions to `0644`: Whatever you do, never grant `0777` permissions to files, nor folders. -##### Use HTTPS +#### :eight_pointed_black_star: Use HTTPS In this day and age, with services like [Let's Encrypt](https://letsencrypt.org/), there's no excuse not to use HTTPS for your website. This example configuration also includes stronger cihper suite, ssl session adjustments, HSTS header, stronger DHE parameter, and OSCP Stapling. @@ -694,7 +694,8 @@ server { ``` [Source](https://mozilla.github.io/server-side-tls/ssl-config-generator/) -#### Enable HTTP/2 + +#### :eight_pointed_black_star: Enable HTTP/2 HTTP/2 is a replacement for how HTTP is expressed “on the wire.” It is not a ground-up rewrite of the protocol; HTTP methods, status codes and semantics are the same, and it should be possible to use the same APIs as HTTP/1.x (possibly with some small additions) to represent the protocol. [Source](https://http2.github.io/) @@ -738,7 +739,7 @@ server { } ``` -#### Separate domains +#### :eight_pointed_black_star: Separate domains In case you have more than one website you'd like to serve from your server, nginx allows you to that. @@ -777,7 +778,7 @@ server { } ``` -#### Redirect all unencrypted traffic to HTTPS +#### :eight_pointed_black_star: Redirect all unencrypted traffic to HTTPS This config entry is responsible for permanently redirecting all HTTP traffic to HTTPS. It will redirect all visitors that try to access website through HTTP on port 80, to HTTPS on port 443: `return 301 https://$host$request_uri;` @@ -807,7 +808,7 @@ server { } ``` -#### Enable HTTP Strict Transport Security +#### :eight_pointed_black_star: Enable HTTP Strict Transport Security **What is HSTS?** @@ -846,7 +847,7 @@ server { add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; } ``` -#### Diffie Hellman Ephemeral Parameter +#### :eight_pointed_black_star: Diffie Hellman Ephemeral Parameter All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange. This example aims to generate stronger DHE parameter: ``` @@ -859,7 +860,7 @@ ssl_dhparam /etc/nginx/ssl/dhparam.pem; ``` [Source](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html) -#### Security related headers +#### :eight_pointed_black_star: Security related headers Cross-site scripting (XSS) protection: Helps with preventing XSS attacks, it's enabling cross-site scripting filter built into modern browsers. From 12e00f0a8ef8265ef9bdac34d588d5608b4849c2 Mon Sep 17 00:00:00 2001 From: ajvn Date: Thu, 31 Jan 2019 22:03:03 +0100 Subject: [PATCH 5/9] More title adjustments. - signed-off-by: ajvn --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e75c3c7..8f0697f 100644 --- a/README.md +++ b/README.md @@ -659,7 +659,8 @@ Whatever you do, never grant `0777` permissions to files, nor folders. In this day and age, with services like [Let's Encrypt](https://letsencrypt.org/), there's no excuse not to use HTTPS for your website. This example configuration also includes stronger cihper suite, ssl session adjustments, HSTS header, stronger DHE parameter, and OSCP Stapling. -**Example of a decent HTTPS config with HTTP to HTTPS redirection:** + +**Example of a config with HTTP to HTTPS redirection:** ``` server { From b2f7d697a465a5fbb5cc5e8bd247b5f7df45a62c Mon Sep 17 00:00:00 2001 From: ajvn Date: Thu, 31 Jan 2019 22:07:46 +0100 Subject: [PATCH 6/9] Formating - signed-off-by: ajvn --- README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8f0697f..cddcdb9 100644 --- a/README.md +++ b/README.md @@ -863,20 +863,19 @@ ssl_dhparam /etc/nginx/ssl/dhparam.pem; #### :eight_pointed_black_star: Security related headers -Cross-site scripting (XSS) protection: +_Cross-site scripting (XSS) protection:_ Helps with preventing XSS attacks, it's enabling cross-site scripting filter built into modern browsers. `add_header x-xss-protection "1; mode=block" always;` -X-Frame-Options: +_X-Frame-Options:_ Prevents iframe loading from different websites: `add_header x-frame-options "SAMEORIGIN" always;` -X-Content-Type-Options: +_X-Content-Type-Options:_ It helps reducing drive-by downloads: `add_header X-Content-Type-Options "nosniff" always;` - -HTTP Strict Transport Security (HSTS): +_HTTP Strict Transport Security (HSTS):_ When a browser sees this header from an HTTPS website, it “learns” that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the max-age period (typically 31,536,000 seconds, equal to about 1 year). `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` From f2bece9c869f4202a6c88e59cfb4d8b54a2f3dc1 Mon Sep 17 00:00:00 2001 From: ajvn Date: Thu, 31 Jan 2019 22:10:25 +0100 Subject: [PATCH 7/9] Format - signed-off-by: ajvn --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index cddcdb9..673f28b 100644 --- a/README.md +++ b/README.md @@ -782,6 +782,7 @@ server { #### :eight_pointed_black_star: Redirect all unencrypted traffic to HTTPS This config entry is responsible for permanently redirecting all HTTP traffic to HTTPS. It will redirect all visitors that try to access website through HTTP on port 80, to HTTPS on port 443: + `return 301 https://$host$request_uri;` **Example config:** @@ -820,6 +821,7 @@ When a user enters a web domain manually (providing the domain name without the [Source](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) Config entry : + `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` **Example config** @@ -864,20 +866,34 @@ ssl_dhparam /etc/nginx/ssl/dhparam.pem; #### :eight_pointed_black_star: Security related headers _Cross-site scripting (XSS) protection:_ + Helps with preventing XSS attacks, it's enabling cross-site scripting filter built into modern browsers. + `add_header x-xss-protection "1; mode=block" always;` + _X-Frame-Options:_ + Prevents iframe loading from different websites: + `add_header x-frame-options "SAMEORIGIN" always;` + _X-Content-Type-Options:_ + It helps reducing drive-by downloads: + `add_header X-Content-Type-Options "nosniff" always;` + _HTTP Strict Transport Security (HSTS):_ + When a browser sees this header from an HTTPS website, it “learns” that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the max-age period (typically 31,536,000 seconds, equal to about 1 year). + `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` + + [Source 1](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) + [Source 2](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project) \ No newline at end of file From 7514bd36b56571340b5f9b5da15aab2335ab5ae6 Mon Sep 17 00:00:00 2001 From: ajvn Date: Thu, 31 Jan 2019 22:18:56 +0100 Subject: [PATCH 8/9] Fixing typos - signed-off-by: ajvn --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 673f28b..5e12714 100644 --- a/README.md +++ b/README.md @@ -636,7 +636,7 @@ Run the following command to disable cups: ### Nginx Nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by [Igor Sysoev](http://sysoev.ru/en/). -It's used worldwide, and is one best tools at what it does. Default configuration that comes with it, however, is not very security oriented, and it requires some work to set it up properly. That's what this section aims to help you with. +It's used worldwide, and is one of best tools at what it does. Default configuration that comes with it, however, is not very security oriented, and it requires some work to set it up properly. That's what this section aims to help you with. [Source](https://nginx.org/en/) #### :eight_pointed_black_star: Files and directories permissions From d58259aeb2732df98f16e511fcf73871a076d274 Mon Sep 17 00:00:00 2001 From: "@trimstray" Date: Fri, 1 Feb 2019 07:46:26 +0100 Subject: [PATCH 9/9] minor fixes --- README.md | 60 +++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 5e12714..1f6a38f 100644 --- a/README.md +++ b/README.md @@ -634,11 +634,13 @@ Run the following command to disable cups: ### Web services -### Nginx +### Nginx + Nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by [Igor Sysoev](http://sysoev.ru/en/). It's used worldwide, and is one of best tools at what it does. Default configuration that comes with it, however, is not very security oriented, and it requires some work to set it up properly. That's what this section aims to help you with. [Source](https://nginx.org/en/) + #### :eight_pointed_black_star: Files and directories permissions Usually setting directories permissions to `0755` and file permissions to `0644` is a good practise. @@ -646,16 +648,20 @@ Usually setting directories permissions to `0755` and file permissions to `0644` Script for setting all directories permissions to `0755` (here we assume that webserver directory path is `/var/www/html`): -```find /var/www/html -type d -exec chmod 755 {} \;``` +```bash +find /var/www/html -type d -exec chmod 755 {} \; +``` Script for setting all files permissions to `0644`: -```find /var/www/html -type f -exec chmod 644 {} \;``` +```bash +find /var/www/html -type f -exec chmod 644 {} \; +``` Whatever you do, never grant `0777` permissions to files, nor folders. - #### :eight_pointed_black_star: Use HTTPS + In this day and age, with services like [Let's Encrypt](https://letsencrypt.org/), there's no excuse not to use HTTPS for your website. This example configuration also includes stronger cihper suite, ssl session adjustments, HSTS header, stronger DHE parameter, and OSCP Stapling. @@ -690,13 +696,14 @@ server { ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; + ssl_dhparam /etc/nginx/ssl/dhparam-4096.pem; } ``` [Source](https://mozilla.github.io/server-side-tls/ssl-config-generator/) #### :eight_pointed_black_star: Enable HTTP/2 + HTTP/2 is a replacement for how HTTP is expressed “on the wire.” It is not a ground-up rewrite of the protocol; HTTP methods, status codes and semantics are the same, and it should be possible to use the same APIs as HTTP/1.x (possibly with some small additions) to represent the protocol. [Source](https://http2.github.io/) @@ -822,11 +829,13 @@ When a user enters a web domain manually (providing the domain name without the Config entry : -`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` +```bash +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +``` **Example config** -``` +```bash server { listen 80 default_server; listen [::]:80 default_server; @@ -850,16 +859,21 @@ server { add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; } ``` + #### :eight_pointed_black_star: Diffie Hellman Ephemeral Parameter + All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange. This example aims to generate stronger DHE parameter: -``` + +```bash cd /etc/nginx/ssl/ -openssl dhparam -out dhparam.pem 4096 +openssl dhparam -out dhparam-4096.pem 4096 ``` + Then add it to your nginx config with this config entry: -``` -ssl_dhparam /etc/nginx/ssl/dhparam.pem; + +```bash +ssl_dhparam /etc/nginx/ssl/dhparam-4096.pem; ``` [Source](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html) @@ -869,31 +883,33 @@ _Cross-site scripting (XSS) protection:_ Helps with preventing XSS attacks, it's enabling cross-site scripting filter built into modern browsers. -`add_header x-xss-protection "1; mode=block" always;` - +```bash +add_header x-xss-protection "1; mode=block" always; +``` _X-Frame-Options:_ Prevents iframe loading from different websites: -`add_header x-frame-options "SAMEORIGIN" always;` - +```bash +add_header x-frame-options "SAMEORIGIN" always; +``` _X-Content-Type-Options:_ It helps reducing drive-by downloads: -`add_header X-Content-Type-Options "nosniff" always;` - +```bash +add_header X-Content-Type-Options "nosniff" always; +``` _HTTP Strict Transport Security (HSTS):_ When a browser sees this header from an HTTPS website, it “learns” that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the max-age period (typically 31,536,000 seconds, equal to about 1 year). -`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` - - +```bash +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +``` [Source 1](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) - -[Source 2](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project) \ No newline at end of file +[Source 2](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)