4/4/2018 - 6:14 AM

Implementasi SSL di nginx dengan security enhancement actions tambahan

nginx-ssl-security-enhancement.md

Rendered
Source

SSL Cert di Nginx

Ref: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Implementasi dasar

Letsencrypt SSL untuk Nginx

Hardening Nginx Web Server SSL Configs

Stronger DHE (Diffie Hellman Ephemeral) Parameters
Disable insecured Protocols
Use only Recommenmded Cipher Suite
HTTP Strict Transport Security (HSTS)
OSCP Stapling
TLS Fallback Extensions (openssl)
HTTP Public Key Pinning

Stronger DHE Param

○ → cd /etc/ssl/
○ → openssl dhparam -out dhparam.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time ...

Implementasi ke konfigurasi nginx untuk menggunakan DHE param yang baru ketika dibutuhkan ( DHE Key-exchange)

$ cd /etc/sssl & mkdir certs
$ mv dhparam.pem certs

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Disable SSLv2 dan SSLv3

Disable protokol yang insecure, modifikasi file konfigurasi nginx menjadi sebagai berikut;

# /etc/nginx/nginx.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Enable TLS Fallback ekstension

Untuk hardening dari POODLE bug, enable TLS Fallback ekstension, hal ini dapat dilakukan secara otomatis apabila menggunakan openssl release berikut

OpenSSL 1.0.1 has TLSFALLBACKSCSV in 1.0.1j and higher.
OpenSSL 1.0.0 has TLSFALLBACKSCSV in 1.0.0o and higher.
OpenSSL 0.9.8 has TLSFALLBACKSCSV in 0.9.8zc and higher.

Chiper Suite yang direkomendasi

Aktifkan hanya Cipher Suite yang direkomendasikan, salah satunya oleh Mozilla Foundation.

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Untuk backward compatibility (IE6 dan WinXP) dapat konfigurasi cipher suite berikut;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

Extra Settings

ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

OCSP Stapling

Tutorial untuk enable OCSP Stapling di Nginx Web Server https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html

Konfirmasi

$ openssl s_client -connect domain.tld:443 -tls1 -tlsextdebug -status

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Apr  6 19:03:00 2018 GMT
    Responses:
    Certificate ID:

Enable HSTS

Tentang HTTP Strict Transport Security https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload ";
# X-Frame-Options Header
add_header X-Frame-Options "DENY";

HTTP Public Key Pinning Extension

Enable HTTP Public Key Pinning Extension - untuk memastikan hanya CA yang kita tentukan yang dapat melakukan konfirmasi terhadap cert (signing) dan bukan CA yang tersimpan di storage browser. Lebih lanjut di https://raymii.org/s/articles/HTTPPublicKeyPinningExtension_HPKP.html

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster