Configuring SSL on NGNINX and less tricky servers
32
SSL Sergej Jakovljev
Transcript of Configuring SSL on NGNINX and less tricky servers
SSL
SergejJakovljev
- PRF(pseudorandom function)key- HMACintegrity checks- AEScypher suite
SSL– Secure Socket Layer
http://www.jscape.com/blog/ssl-vs-tls-know-the-difference
TLS– TransportLayer Security
HTTPS– HTTPSecure
Zašto ne?- Podrška- Brzina
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
https://istlsfastyet.com
- Sigurnost- Brzina https://www.httpvshttps.com
- Google(Search&)- BrowserAPI
Zašto?
• Geolocation• Devicemotion/orientation• EME• getUserMedia• AppCache• Notifications
https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/
CSR– Certificate Signing RequestPrivate key
CA– Certificate AuthorityRoot CertificateIntermediate CertificateLeaf Certificate
https://blog.cloudflare.com/introducing-cfssl/
Postupakizdavanja1.Generiranje CSR(Certificate Signing Request)
2.Kupnja certifikata i slanje CA
3.Validacija i preuzimanje
4.Konfiguracija servera
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
• koji tipkupiti?• gdje ga kupiti?
• validacije ovise otipu certifikata• uz certifikat jepotrebno preuzeti i intemediate i rootcertifikat odCA
Tipovicertifikata
• potvrdaorganizacije• sadrži papirologiju• podacioorganizacijiucertifikatu• plavoimeunekimpreglednicima• izdajesekroz1-2dana
OrganizationValidation (OV) ExtendedValidation (EV)Domain Validation (DV)
http://www.dailyhostnews.com/wp-content/uploads/2013/04/ssl-types.jpg
• enkripcija• potvrdadomene• zelenilokot• dovoljnozaGoogle• izdajeseodmah
• striktna,standardiziranaprovjeraorganizacije
• green bar• izdaje sekroz7-10dana
Pokrivenost
Multiple domain WildcardSingledomain
• Besplatno• Domain Validation (DV)• Nemagarancije• Nemapodrške• Expiration 90dana• certbot
• KoristepoznateCA• Nudesvetipovecertifikata• Podrška 0-24• Trajudo39mjeseci• Garancija od10,000$+• Nudesiteseal
https://www.netnames.com/insights/blog/2013/01/a-whole-lot-of-trust-in-a-little-ssl-seal/
https://www.ssllabs.com/ssltest/
Izvori za većinu konfiguracije koja slijedi:https://sanderknape.com/2016/06/getting-ssl-labs-rating-nginx/https://juliansimioni.com/blog/https-on-nginx-from-zero-to-a-plus-part-2-configuration-ciphersuites-and-performance/
server {listen 443 ssl http2;listen [::]:443 ssl http2;server_name www.stranica.com;
ssl_certificate /etc/ssl/certs/stranica.com.crt;ssl_certificate_key /etc/ssl/private/stranica.com.key;
root /var/www/projekt/;index index.php index.html index.htm default.html default.htm;
https://sanderknape.com/2016/06/getting-ssl-labs-rating-nginx/
server {listen 80 default_server;listen [::]:80 default_server;server_name stranica.com;return 301 https://www.stranica.com$request_uri;
}
server {listen 443 ssl http2;listen [::]:443 ssl http2;server_name www.stranica.com;
ssl_certificate /etc/ssl/certs/stranica.com.crt;ssl_certificate_key /etc/ssl/private/stranica.com.key;
ssl_session_cache shared:SSL:20m;ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;ssl_dhparam /etc/nginx/cert/dhparam.pem;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;ssl_stapling_verify on;ssl_trusted_certificate /etc/nginx/cert/stranica.trustchain.crt;resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000" always;
root /var/www/projekt/;index index.php index.html index.htm default.html default.htm;
https://sanderknape.com/2016/06/getting-ssl-labs-rating-nginx/
https://blog.cloudflare.com/introducing-cfssl/
# put do certifikata i privatnog ključa# obicno leaf + intermediate certifikatissl_certificate /etc/ssl/certs/stranica.com.cetrchain.crt;ssl_certificate_key /etc/ssl/private/stranica.com.key;
# onemogućimo SSLssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# postavimo veličinu cachea i vrijeme trajanja sessiona# kako bi izbjegli ponavljanje dugotrajnog TLS handshakeassl_session_cache shared:SSL:20m;ssl_session_timeout 60m;
cat stranica_com.crt stranica_com.ca-bundle > stranica.com.certchain.crt
CERTIFIKAT+INTERMEDIATE+ROOT
# server bira cyphere umjesto klijentassl_prefer_server_ciphers on;
# omogući samo određene cypheressl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# za Diffie-Hellman Exchange koristi 2048 bit RSA ključssl_dhparam /etc/nginx/cert/dhparam.pem;
openssl dhparam 2048 -out /etc/nginx/cert/dhparam.pem
Diffie–Hellmankeyexchangehttps://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
OCSPStaplingOmogućuje daklijent dokaže valjanost certifikata
Klijent
CA
Server
Klijent
CA
Server
ssl_stapling on;ssl_stapling_verify on;resolver 8.8.8.8 8.8.4.4;
# cijeli chain certifikata# 1. potvrduje da je client certifikat dobar# 2. za OCSP verifikacijussl_trusted_certificate /etc/nginx/cert/stranica.trustchain.crt;
CERTIFIKAT+INTERMEDIATE+ROOT
cat stranica_com.crt stranica_com.ca-bundle > stranica.com.certchain.crt
# HSTS (HTTP Strict Transport Security)# forsira korištenje SSL protokola, nepovratno!add_header Strict-Transport-Security "max-age=31536000" always;add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
hstspreload.org
#instanciraj jos jedan serverkoji redirecta sve HTTPna HTTPS#paziti za API-jeserver{
listen80default_server;listen[::]:80default_server;server_name stranica.com;return301https://www.stranica.com$request_uri;
}
server{listen443ssl http2; #za najbolje rezultateomogućiti HTTP2listen[::]:443ssl http2;...
}
https://devcenter.heroku.com/articles/ssl
https://www.taylorpetrick.com/blog/post/https-nodejs-letsencrypt
const https = require('https') const helmet = require('helmet')
...
app.use(helmet.hsts({ maxAge: 31536000000, includeSubdomains: true, force: true
}));
...
https.createServer({key: fs.readFileSync("/etc/letsencrypt/archive/example.com/privkey1.pem"),cert: fs.readFileSync("/etc/letsencrypt/archive/example.com/fullchain1.pem"),ca: fs.readFileSync("/etc/letsencrypt/archive/example.com/chain1.pem"),dhparam: fs.readFileSync("/etc/letsencrypt/archive/example.com/dh1.pem"),
}, app).listen(443);
Upload certifikata:https://aws.amazon.com/certificate-manager/
AmazonS3savlastitomdomenomhttps://aws.amazon.com/cloudfront/custom-ssl-domains/
EC2uzClassic Load Balancerhttp://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
- SPF(SenderPolicyFramework)– domene- DKIM(DomainKeys IdentifiedMail)- digitalni potpis- DMARC(Domain-basedMessageAuthentication,
Reporting&Conformance)
http://www.jscape.com/blog/ssl-vs-tls-know-the-difference
![Configuring SSL With Self-signed Certificates[1]](https://static.fdocuments.net/doc/165x107/5571ff7049795991699d3e1c/configuring-ssl-with-self-signed-certificates1.jpg)
