markdown 实施SSL di nginx dengan安全增强行动tambahan
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了markdown 实施SSL di nginx dengan安全增强行动tambahan相关的知识,希望对你有一定的参考价值。
# SSL Cert di Nginx
Ref: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
## Implementasi dasar
- [ ] Letsencrypt SSL untuk Nginx
## Hardening Nginx Web Server SSL Configs
- [x] Stronger DHE (Diffie Hellman Ephemeral) Parameters
- [x] Disable insecured Protocols
- [x] Use only Recommenmded Cipher Suite
- [x] HTTP Strict Transport Security (HSTS)
- [x] OSCP Stapling
- [x] TLS Fallback Extensions (openssl)
- [ ] HTTP Public Key Pinning
### Stronger DHE Param
```bash
○ → cd /etc/ssl/
○ → openssl dhparam -out dhparam.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time ...
```
Implementasi ke konfigurasi nginx untuk menggunakan DHE param yang baru ketika dibutuhkan ( DHE Key-exchange)
```bash
$ cd /etc/sssl & mkdir certs
$ mv dhparam.pem certs
ssl_dhparam /etc/ssl/certs/dhparam.pem;
```
### Disable SSLv2 dan SSLv3
Disable protokol yang insecure, modifikasi file konfigurasi nginx menjadi sebagai berikut;
```bash
# /etc/nginx/nginx.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
```
### Enable TLS Fallback ekstension
Untuk hardening dari [POODLE bug](https://raymii.org/s/articles/Check_servers_for_the_Poodle_bug.html), enable TLS Fallback ekstension, hal ini dapat dilakukan secara otomatis apabila menggunakan openssl release berikut
* OpenSSL 1.0.1 has TLSFALLBACKSCSV in 1.0.1j and higher.
* OpenSSL 1.0.0 has TLSFALLBACKSCSV in 1.0.0o and higher.
* OpenSSL 0.9.8 has TLSFALLBACKSCSV in 0.9.8zc and higher.
### Chiper Suite yang direkomendasi
Aktifkan hanya Cipher Suite yang direkomendasikan, salah satunya oleh [Mozilla Foundation](https://wiki.mozilla.org/Security/Server_Side_TLS).
``` bash
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
```
Untuk backward compatibility (IE6 dan WinXP) dapat konfigurasi cipher suite berikut;
```bash
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
```
### Extra Settings
```
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
```
### OCSP Stapling
Tutorial untuk enable OCSP Stapling di Nginx Web Server https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
Konfirmasi
```bash
$ openssl s_client -connect domain.tld:443 -tls1 -tlsextdebug -status
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Apr 6 19:03:00 2018 GMT
Responses:
Certificate ID:
```
### Enable HSTS
Tentang HTTP Strict Transport Security https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
```
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload ";
# X-Frame-Options Header
add_header X-Frame-Options "DENY";
```
### HTTP Public Key Pinning Extension
Enable HTTP Public Key Pinning Extension - untuk memastikan hanya CA yang kita tentukan yang dapat melakukan konfirmasi terhadap cert (signing) dan bukan CA yang tersimpan di storage browser. Lebih lanjut di https://raymii.org/s/articles/HTTPPublicKeyPinningExtension_HPKP.html以上是关于markdown 实施SSL di nginx dengan安全增强行动tambahan的主要内容,如果未能解决你的问题,请参考以下文章
markdown 媒体流服务器di Ubuntu menggunakan Nginx rtmp模块