tajidyakub
4/4/2018 - 6:14 AM

Implementasi SSL di nginx dengan security enhancement actions tambahan

Implementasi SSL di nginx dengan security enhancement actions tambahan

SSL Cert di Nginx

Ref: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Implementasi dasar

  • Letsencrypt SSL untuk Nginx

Hardening Nginx Web Server SSL Configs

  • Stronger DHE (Diffie Hellman Ephemeral) Parameters
  • Disable insecured Protocols
  • Use only Recommenmded Cipher Suite
  • HTTP Strict Transport Security (HSTS)
  • OSCP Stapling
  • TLS Fallback Extensions (openssl)
  • HTTP Public Key Pinning

Stronger DHE Param

○ → cd /etc/ssl/
○ → openssl dhparam -out dhparam.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time ...

Implementasi ke konfigurasi nginx untuk menggunakan DHE param yang baru ketika dibutuhkan ( DHE Key-exchange)

$ cd /etc/sssl & mkdir certs
$ mv dhparam.pem certs

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Disable SSLv2 dan SSLv3

Disable protokol yang insecure, modifikasi file konfigurasi nginx menjadi sebagai berikut;

# /etc/nginx/nginx.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Enable TLS Fallback ekstension

Untuk hardening dari POODLE bug, enable TLS Fallback ekstension, hal ini dapat dilakukan secara otomatis apabila menggunakan openssl release berikut

  • OpenSSL 1.0.1 has TLSFALLBACKSCSV in 1.0.1j and higher.
  • OpenSSL 1.0.0 has TLSFALLBACKSCSV in 1.0.0o and higher.
  • OpenSSL 0.9.8 has TLSFALLBACKSCSV in 0.9.8zc and higher.

Chiper Suite yang direkomendasi

Aktifkan hanya Cipher Suite yang direkomendasikan, salah satunya oleh Mozilla Foundation.

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Untuk backward compatibility (IE6 dan WinXP) dapat konfigurasi cipher suite berikut;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

Extra Settings

ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

OCSP Stapling

Tutorial untuk enable OCSP Stapling di Nginx Web Server https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html

Konfirmasi

$ openssl s_client -connect domain.tld:443 -tls1 -tlsextdebug -status

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Apr  6 19:03:00 2018 GMT
    Responses:
    Certificate ID:

Enable HSTS

Tentang HTTP Strict Transport Security https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload ";
# X-Frame-Options Header
add_header X-Frame-Options "DENY";

HTTP Public Key Pinning Extension

Enable HTTP Public Key Pinning Extension - untuk memastikan hanya CA yang kita tentukan yang dapat melakukan konfirmasi terhadap cert (signing) dan bukan CA yang tersimpan di storage browser. Lebih lanjut di https://raymii.org/s/articles/HTTPPublicKeyPinningExtension_HPKP.html