github
/
nginxconfig.io
mirror of https://github.com/digitalocean/nginxconfig.io
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

enabled TLSv1.3, replaced SSL profiles logic to OWASP 

fixes #42, fixes #82
pull/84/head
Bálint Szekeres 2019-04-14 21:50:15 +02:00
parent 926bce92ee
commit 5c73002020
6 changed files with 59 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -125,7 +125,7 @@
* [FileSaver](https://github.com/eligrey/FileSaver.js) - downloading zip file * [FileSaver](https://github.com/eligrey/FileSaver.js) - downloading zip file
## Resources ## Resources
* [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/) * [OWASP TLS Cipher String Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md)
* [Nginx Optimization: understanding sendfile, tcp_nodelay and tcp_nopush](https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765) * [Nginx Optimization: understanding sendfile, tcp_nodelay and tcp_nopush](https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765)
* [NGINX Tuning For Best Performance](https://gist.github.com/denji/8359866) * [NGINX Tuning For Best Performance](https://gist.github.com/denji/8359866)
* [Hardening Your HTTP Security Headers](https://www.keycdn.com/blog/http-security-headers/) * [Hardening Your HTTP Security Headers](https://www.keycdn.com/blog/http-security-headers/)

40
public/assets/js/app.js
View File

@ -65,7 +65,7 @@
}], }],
// COMMON - HTTPS // COMMON - HTTPS
ssl_profile: 'modern', ssl_profile: 'B',
resolver_cloudflare: true, resolver_cloudflare: true,
resolver_google: true, resolver_google: true,
resolver_opendns: true, resolver_opendns: true,
@ -369,17 +369,25 @@
}; };
$scope.sslProfiles = { $scope.sslProfiles = {
modern: { A: {
protocols: 'TLSv1.2', name: 'OWASP A (Advanced)',
ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256', protocols: 'TLSv1.2 TLSv1.3',
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256',
}, },
intermediate: { B: {
protocols: 'TLSv1 TLSv1.1 TLSv1.2', name: 'OWASP B (Broad Compatibility)',
ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', protocols: 'TLSv1.2 TLSv1.3',
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256',
}, },
old: { C: {
protocols: 'SSLv3 TLSv1 TLSv1.1 TLSv1.2', name: 'OWASP C (Widest Compatibility)',
ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP', protocols: 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3',
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA',
},
D: {
name: 'OWASP D (Legacy)',
protocols: 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3',
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA',
}, },
}; };
@ -901,16 +909,12 @@
// COMMON - HTTPS // COMMON - HTTPS
$scope.isSSLProfileModern = function() { $scope.isSSLDHRequired = function() {
return $scope.hasHTTPS() && $scope.data.ssl_profile === 'modern'; return $scope.hasHTTPS() && $scope.sslProfiles[$scope.data.ssl_profile].ciphers.indexOf(':DHE') !== -1;
}; };
$scope.isSSLProfileIntermediate = function() { $scope.isSSLProfileLegacy = function() {
return $scope.hasHTTPS() && $scope.data.ssl_profile === 'intermediate'; return $scope.hasHTTPS() && $scope.data.ssl_profile === 'D';
};
$scope.isSSLProfileOld = function() {
return $scope.hasHTTPS() && $scope.data.ssl_profile === 'old';
}; };
$scope.isResolverCloudflare = function() { $scope.isResolverCloudflare = function() {

32
public/index.html
View File

@ -596,22 +596,28 @@
<div class="row"> <div class="row">
<legend class="col-sm-3 col-form-label col-form-label-sm">SSL profile</legend> <legend class="col-sm-3 col-form-label col-form-label-sm">SSL profile</legend>
<div class="col-sm-9"> <div class="col-sm-9">
<div class="form-check form-check-inline" ng-class="{ 'input-changed': data.ssl_profile !== defaultData.ssl_profile && data.ssl_profile === 'modern' }"> <div class="form-check form-check-inline" ng-class="{ 'input-changed': data.ssl_profile !== defaultData.ssl_profile && data.ssl_profile === 'A' }">
<input class="form-check-input" type="radio" id="modern" ng-model="data.ssl_profile" value="modern"> <input class="form-check-input" type="radio" id="OWASP-A" ng-model="data.ssl_profile" value="A">
<label class="form-check-label col-form-label-sm" for="modern"> <label class="form-check-label col-form-label-sm" for="OWASP-A">
<span tooltips tooltip-template="Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8" tooltip-side="top">modern</span> <span tooltips tooltip-template="<strong>Advanced</strong>, wide browser compatibility, e.g. to most newer browser versions<br><br>Oldest compatible clients:<ul><li>Android 4.4.2</li><li>Chrome 32/Win 7</li><li>Chrome 34/OS X</li><li>Edge 12/Win 10</li><li>Firefox 27/Win 8</li><li>IE11/Win 7 + MS14-066</li><li>Java8b132</li><li>OpenSSL 1.0.1e</li><li>Safari 9/iOS 9.</li></ul>" tooltip-side="top" tooltip-class="ssl">OWASP A</span>
</label> </label>
</div> </div>
<div class="form-check form-check-inline" ng-class="{ 'input-changed': data.ssl_profile !== defaultData.ssl_profile && data.ssl_profile === 'intermediate' }"> <div class="form-check form-check-inline" ng-class="{ 'input-changed': data.ssl_profile !== defaultData.ssl_profile && data.ssl_profile === 'B' }">
<input class="form-check-input" type="radio" id="intermediate" ng-model="data.ssl_profile" value="intermediate"> <input class="form-check-input" type="radio" id="OWASP-B" ng-model="data.ssl_profile" value="B">
<label class="form-check-label col-form-label-sm" for="intermediate"> <label class="form-check-label col-form-label-sm" for="OWASP-B">
<span tooltips tooltip-template="Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7" tooltip-side="top">intermediate</span> <span tooltips tooltip-template="<strong>Broad</strong> compatibility to browsers, check the compatibility to other protocols before using it, e.g. IMAPS<br><br>Oldest compatible clients: <ul><li>Android 4.4.2</li><li>Chrome 30/Win 7</li><li>Chrome 34/OS X</li><li>Edge 12/Win 10</li><li>Firefox 27/Win 8</li><li>IE11/Win 7</li><li>IE 11/WinPhone 8.1</li><li>Java8b132</li><li>OpenSSL 1.0.1e</li><li>Opera 17/Win 7</li><li>Safari 5/iOS 5.1.1</li><li>Safari 7/OS X 10.9</li></ul>" tooltip-side="top" tooltip-class="ssl">OWASP B</span>
</label> </label>
</div> </div>
<div class="form-check form-check-inline" ng-class="{ 'input-changed': data.ssl_profile !== defaultData.ssl_profile && data.ssl_profile === 'old' }"> <div class="form-check form-check-inline" ng-class="{ 'input-changed': data.ssl_profile !== defaultData.ssl_profile && data.ssl_profile === 'C' }">
<input class="form-check-input" type="radio" id="old" ng-model="data.ssl_profile" value="old"> <input class="form-check-input" type="radio" id="OWASP-C" ng-model="data.ssl_profile" value="C">
<label class="form-check-label col-form-label-sm" for="old"> <label class="form-check-label col-form-label-sm" for="OWASP-C">
<span tooltips tooltip-template="Oldest compatible clients: Windows XP IE6, Java 6" tooltip-side="top">old</span> <span tooltips tooltip-template="<strong>Widest Compatibility</strong>, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS<br><br>Oldest compatible clients: <ul><li>Android 2.3.7/4.0.4</li><li>Chrome 27/Win 7</li><li>Chrome 34/OS X</li><li>Edge 12/Win 10</li><li>Firefox 10.0.12 ESR/Win 7</li><li>Firefox 21/Win 7+Fedora 19</li><li>IE 7/Vista</li><li>IE 10/WinPhone 8.0</li><li>Java 7u25</li><li>OpenSSL 0.9.8y</li><li>Opera 12.15/Win 7</li><li>Safari 5/iOS 5.1.1</li><li>Safari 5.1.9/OS X 10.6.8</li></ul>" tooltip-side="top" tooltip-class="ssl">OWASP C</span>
</label>
</div>
<div class="form-check form-check-inline" ng-class="{ 'input-changed': data.ssl_profile !== defaultData.ssl_profile && data.ssl_profile === 'D' }">
<input class="form-check-input" type="radio" id="OWASP-D" ng-model="data.ssl_profile" value="D">
<label class="form-check-label col-form-label-sm" for="OWASP-D">
<span tooltips tooltip-template="<strong>Legacy</strong>, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP" tooltip-side="top" tooltip-class="ssl">OWASP D</span>
</label> </label>
</div> </div>
</div> </div>
@ -985,7 +991,7 @@
<div class="container"> <div class="container">
<div class="row grid"> <div class="row grid">
<div class="grid-sizer col-xl-6"></div> <div class="grid-sizer col-xl-6"></div>
<div ng-if="isSymlink() || (isHTTPS() && (isCertLetsEncrypt() || !isSSLProfileModern()))" class="grid-item col-xl-10 offset-xl-1" ng-cloak> <div ng-if="isSymlink() || (isHTTPS() && (isCertLetsEncrypt() || isSSLDHRequired()))" class="grid-item col-xl-10 offset-xl-1" ng-cloak>
<div class="commands"> <div class="commands">
<pre><code class="hljs bash" ng-include="'templates/commands.html?v=COMMIT_HASH'"></code></pre> <pre><code class="hljs bash" ng-include="'templates/commands.html?v=COMMIT_HASH'"></code></pre>
</div> </div>

6
public/templates/commands.html
View File

@ -4,15 +4,15 @@
<span class="hljs-section">ln</span> <span class="hljs-attribute">-s</span> <span ng-repeat="(_site, _domain) in getDomains() track by $index">/etc/nginx/sites-available/{{ _domain }}.conf </span>/etc/nginx/sites-enabled</span><!-- <span class="hljs-section">ln</span> <span class="hljs-attribute">-s</span> <span ng-repeat="(_site, _domain) in getDomains() track by $index">/etc/nginx/sites-available/{{ _domain }}.conf </span>/etc/nginx/sites-enabled</span><!--
✔ symlink || ✔ HTTPS --><span ng-if="isSymlink() && (isSSLProfileIntermediate() || isSSLProfileOld() || hasCertLetsEncrypt())"> ✔ symlink || ✔ HTTPS --><span ng-if="isSymlink() && (isSSLDHRequired() || hasCertLetsEncrypt())">
</span><!-- </span><!--
✔ SSL profile: intermediate || old --><span ng-if="isSSLProfileIntermediate() || isSSLProfileOld()"><!-- ✔ SSL DH required --><span ng-if="isSSLDHRequired()"><!--
--><span class="hljs-comment"># <strong>HTTPS</strong>: create Diffie-Hellman keys</span> --><span class="hljs-comment"># <strong>HTTPS</strong>: create Diffie-Hellman keys</span>
<span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">{{ isSSLProfileOld() ? 1024 : 2048 }}</span><!-- <span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">{{ isSSLProfileLegacy() ? 1024 : 2048 }}</span><!--
--><span ng-if="hasCertLetsEncrypt()"> --><span ng-if="hasCertLetsEncrypt()">

4
public/templates/conf/nginx.conf.html
View File

@ -55,12 +55,12 @@ http {<!--
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;<!-- ssl_session_tickets off;<!--
✘ SSLProfileModern --><span ng-if="isSSLProfileIntermediate() || isSSLProfileOld()"> ✔ SSL DH required --><span ng-if="isSSLDHRequired()">
# Diffie-Hellman parameter for DHE ciphersuites # Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;</span> ssl_dhparam /etc/nginx/dhparam.pem;</span>
# {{ data.ssl_profile }} configuration # {{ sslProfiles[ data.ssl_profile ].name }} configuration
ssl_protocols {{ sslProfiles[ data.ssl_profile ].protocols }}; ssl_protocols {{ sslProfiles[ data.ssl_profile ].protocols }};
ssl_ciphers {{ sslProfiles[ data.ssl_profile ].ciphers }}; ssl_ciphers {{ sslProfiles[ data.ssl_profile ].ciphers }};
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;

12
resources/scss/_utilities.scss
View File

@ -12,6 +12,18 @@ tooltip {
tip { tip {
min-width: 150px; min-width: 150px;
padding: 4px 12px; padding: 4px 12px;
&.ssl {
min-width: 300px;
ul {
text-align: left;
padding: 4px 0 0 8px;
margin: 0;
white-space: nowrap;
font-size: 0.75rem;
}
}
} }
tip-tip { tip-tip {