#top Przydatne informacje¶

[<<]|[<]|[^]|[v]|[>]|[>>]|[Zwiń]|[#top]|[X]

#top Timeout¶

#top Load Balancing with HAProxy¶

#top Nginx behind HAProxy¶

Zobacz także Nginx behind HAProxy dla: HAProxy (HAProxy)

W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 80 i przekierowywuje je do Nginx na port 85:

Plik konfiguracyjny /etc/nginx/nginx.conf:

http {
[...]
    #The configuration always includes the predefined "combined" format:
    #log_format   combined   '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
    log_format   combinedpe '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
    log_format  vcombined   '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
    log_format  vcombinedpe '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

    set_real_ip_from  10.41.0.58/32;
    real_ip_header    X-Forwarded-For;
    #real_ip_recursive off;
[...]
}

Plik konfiguracyjny /etc/nginx/vhosts/cen06x64.xen.wbcd.pl.conf:

#
# cen06x64.xen.wbcd.pl
#
server {
    #limit_conn   myzone  10;
    listen       85;
    server_name  cen06x64.xen.wbcd.pl;
    #charset koi8-r;

    access_log  /var/log/nginx/cen06x64_xen_wbcd_pl.access.log  combinedpe;
    error_log  /var/log/nginx/cen06x64_xen_wbcd_pl.error.log  error;

    location / {
        root   /srv/nginx/vhosts/cen06x64.xen.wbcd.pl;
        index  index.html index.htm;
    }

    error_page  404              /404.html;
    location = /404.html {
        root   /srv/nginx/error;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /srv/nginx/error;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}

Zgodnie z RFC 7239 - Forwarded HTTP Header Field

A proxy server that wants to add a new "Forwarded" header field value
can either append it to the last existing "Forwarded" header field
after a comma separator or add a new field at the end of the header block.

oraz dokumentacją na stronie X-Forwarded-For (mozilla.org)

Syntax
X-Forwarded-For: <client>, <proxy1>, <proxy2>

adres IP klienta jest pierwszym adresem na liście w nagłówku HTTP X-Forwarded-For. Natomiast adres IP klienta łączącego się do serwera WWW jest ostatnim adresem IP na liście w nagłówku HTTP X-Forwarded-For dodanym przez serwer HAProxy, który przekazuje odebrane żądanie HTTP do serwera WWW i ten adres zostanie zapisany w logach access serwera.

Aby w logach access serwera Nginx zamiast adresu serwera Proxy zapisywany był adres klienta łączącego się poprzez Proxy niezbędne jest skonfigurowanie dyrektyw set_real_ip_from określających adres IP serwera Proxy z który będzie wysyłał nagłówek X-Forwarded-For zawierający adres IP klienta oraz real_ip_header definującej nazwę nagłówka zawierającego adres IP klienta, a zmienna $remote_addr użyta w log_format będzie zawierała adres IP klienta, który będzie zapisywany w logach access serwera Nginx (Zobacz sekcję LogFormat).

#top TLS SNI¶

In order to use SNI in nginx, it must be supported in both the OpenSSL library with which the nginx binary has been built as well as the library to which it is being dynamically linked at run time. OpenSSL supports SNI since 0.9.8f version if it was built with config option "--enable-tlsext". Since OpenSSL 0.9.8j this option is enabled by default. If nginx was built with SNI support, then nginx will show this when run with the "-V" switch:

nginx -V

...
TLS SNI support enabled
...

#top SNI config¶

#top SNI check¶

#top Protocol Secure¶

#top Remove Service Version Information¶

http {
[...]
    # Enables or disables emitting nginx version on error pages and in the "Server" response header field.
    server_tokens off;
[...]
}

#top Add HTTP Response Headers Security¶

Zobacz także Add HTTP Response Headers Security dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Add HTTP Response Headers Security dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Add HTTP Response Headers Security dla: pgpool | PostgreSQL | MySQL | Firebird

(Zobacz sekcję HTTP Header Add)

Strict-Transport-Security: RFC6797, mozilla.org (mozilla.org),
X-XSS-Protection: RFC-draft, mozilla.org, microsoft.com,
X-Frame-Options: RFC7034, mozilla.org, microsoft.com, microsoft.com,
X-Content-Type-Options: mozilla.org,
Content-Security-Policy: RFC7762, mozilla.org, mozilla.org,

EXAMPLES

#
# cen06x64.xen.wbcd.pl:443 - HTTPS server configuration
#
server {
    #limit_conn   myzone  10;
    listen       447;
    server_name  cen06x64.xen.wbcd.pl;
    #charset koi8-r;

    access_log  /var/log/nginx/cen06x64_xen_wbcd_pl.ssl.access.log  main;
    error_log  /var/log/nginx/cen06x64_xen_wbcd_pl.ssl.error.log  error;

    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy "default-src 'self' cen06x64.xen.wbcd.pl";

    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/cen06x64.xen.wbcd.pl.crt;
    ssl_certificate_key  /etc/pki/tls/certs/cen06x64.xen.wbcd.pl.key;

    ssl_protocols  TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    location / {
        root   /srv/nginx/vhosts/cen06x64.xen.wbcd.pl;
        index  index.html index.htm;
    }

    error_page  404              /404.html;
    location = /404.html {
        root   /srv/nginx/error;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /srv/nginx/error;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}

#top TLS Secure¶

#top Disable SSLv2/SSLv3 Protocols¶

#top Disable weak Cipher Suites¶

#top Disable RC4 CipherSuite¶

#top Disable Anonymous CipherSuite¶

#top Disable SSL Compression¶

The openssl packages in Red Hat Enterprise Linux 5 (starting with RHBA-2009:0181 update released in Red Hat Enterprise Linux 5.3) and 6, and also in Fedora, contain a patch that makes the library check if OPENSSL_NO_DEFAULT_ZLIB environment variable is set (can have arbitrary value, even empty string) and disable the default zlib support.

Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/httpd file:

export OPENSSL_NO_DEFAULT_ZLIB=1

and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.

CVE-2012-4929 SSL/TLS CRIME attack against HTTPS

The MITRE CVE dictionary describes this issue as:

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Find out more about CVE-2012-4929 from the MITRE CVE dictionary and NIST NVD.

Vulnerability Summary for CVE-2009-1891

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

#top Set custom DH parameters¶

#top Avoid certificates with Signature Algorithm: SHA1¶

After Jan. 1, 2016, Firefox will present an "Untrusted Connection" error when a newly issued SHA-1 certificate is encountered, and after Jan. 1, 2017, Firefox will present an "Untrusted Connection" error whenever a SHA-1 certificate is encountered at all, according to a Tuesday post.

SHA-1 has been around for nearly two decades, and in recent years researchers have demonstrated SHA-1 mathematical weaknesses that could be exploited given enough time and computing power, Richard Barnes, engineering manager, cryptography and PKI, with Mozilla, told SCMagazine.com in a Wednesday email correspondence.

Mozilla Security Blog

Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm.

SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.

Zmodyfikowany ostatnio: 2018/04/11 23:28:36 (6 lat temu), textsize: 33,2 kB, htmlsize: 50,9 kB

Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...

Dodaj komentarzKomentarze użytkowników