Deutsch | English

[Ach] howto 4x100 with nginx

L. Aaron Kaplan aaron at lo-res.org
Tue Nov 18 09:54:45 CET 2014


Thanks Andreas,

This allows us to compare against our recommendations.

On Nov 16, 2014, at 10:03 PM, A. Schulze <sca at andreasschulze.de> wrote:

> by request of Aaron Kaplan I like to post my setup for nginx
> 
> - 4096 bit private key
> - sha256 hash
> - signed by StartCom Class 1 Primary Intermediate Server CA (sha256)
> - 4096 dhparam file
> - latest openssl provided by debian wheezy (Nov 2014: 1.0.1e-2+deb7u13)
> - nginx-1.6.2 ( I compile from source )
> 
> nginx.conf:
> 
> server {
> listen 192.0.2.80:443 ssl spdy;
> server_name www.example.org;
> ssl_session_cache shared:SSL:100k;
> ssl_ciphers ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_trusted_certificate /path/to/intermediate.pem
> ssl_dhparam /path/to/dh_4096.pem;
> ssl_certificate /path/to/cert+intermediate.pem;
> ssl_certificate_key /path/to/key.pem;
> add_header strict-transport-security "max-age=31536000";
> add_header x-frame-options "sameorigin";
> add_header x-xss-protection "1; mode=block";
> add_header x-content-type-options "nosniff";
> add_header Public-Key-Pins  "max-age=5184000; pin-sha256=\"...\"; pin-sha256=\"...\";";
> root /path/to/webroot/;
> ... hope I forgot nothing ...
> ... other settings;
> }
> 
> the hpkp header is generated based on the script https://github.com/hannob/hpkp/blob/master/hpkp-gen
> 
> if you replace ssl_protocols with "TLSv1 TLSv1.2" you get a server that is accessible from
> most current/importent clients and still rated as 100/95/100/100.
> 
> Andreas
> 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20141118/75f10b15/attachment.sig>


More information about the Ach mailing list
Kontakt
Email: reports@cert.at
Tel.: +43 1 5056416 78
mehr ...
Warnungen
mehr ...
Blog
mehr ...
Jahresbericht 2017
Ein Resumee zur digitalen Sicherheitslage in Österreich

(HTML, PDF).
Letzte Änderung: 2018/5/28 - 15:00:00
Haftungsausschluss / Datenschutzerklärung