Skip to content

Commit 4563249

Browse files
ScIT-RaphaelScIT-Raphael
committed
Hardening NGINX SSL Configuration.
1 parent 683d5c2 commit 4563249

File tree

6 files changed

+92
-84
lines changed

6 files changed

+92
-84
lines changed

install/debian/8/nginx/nginx.conf

Lines changed: 24 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@
22
user www-data;
33
worker_processes auto;
44
worker_rlimit_nofile 65535;
5-
timer_resolution 50ms; #In order to free some CPU cycles
65
error_log /var/log/nginx/error.log crit;
76
pid /var/run/nginx.pid;
87

@@ -71,33 +70,35 @@ http {
7170

7271

7372
# Cloudflare https://www.cloudflare.com/ips
74-
set_real_ip_from 103.21.244.0/22;
75-
set_real_ip_from 103.22.200.0/22;
76-
set_real_ip_from 103.31.4.0/22;
77-
set_real_ip_from 104.16.0.0/12;
78-
set_real_ip_from 108.162.192.0/18;
79-
set_real_ip_from 131.0.72.0/22;
80-
set_real_ip_from 141.101.64.0/18;
81-
set_real_ip_from 162.158.0.0/15;
82-
set_real_ip_from 172.64.0.0/13;
83-
set_real_ip_from 173.245.48.0/20;
84-
set_real_ip_from 188.114.96.0/20;
85-
set_real_ip_from 190.93.240.0/20;
86-
set_real_ip_from 197.234.240.0/22;
87-
set_real_ip_from 198.41.128.0/17;
88-
set_real_ip_from 2400:cb00::/32;
89-
set_real_ip_from 2606:4700::/32;
90-
set_real_ip_from 2803:f800::/32;
91-
set_real_ip_from 2405:b500::/32;
92-
set_real_ip_from 2405:8100::/32;
93-
set_real_ip_from 2c0f:f248::/32;
94-
set_real_ip_from 2a06:98c0::/29;
73+
set_real_ip_from 199.27.128.0/21;
74+
set_real_ip_from 173.245.48.0/20;
75+
set_real_ip_from 103.21.244.0/22;
76+
set_real_ip_from 103.22.200.0/22;
77+
set_real_ip_from 103.31.4.0/22;
78+
set_real_ip_from 141.101.64.0/18;
79+
set_real_ip_from 108.162.192.0/18;
80+
set_real_ip_from 190.93.240.0/20;
81+
set_real_ip_from 188.114.96.0/20;
82+
set_real_ip_from 197.234.240.0/22;
83+
set_real_ip_from 198.41.128.0/17;
84+
set_real_ip_from 162.158.0.0/15;
85+
set_real_ip_from 104.16.0.0/12;
86+
set_real_ip_from 172.64.0.0/13;
87+
#set_real_ip_from 2400:cb00::/32;
88+
#set_real_ip_from 2606:4700::/32;
89+
#set_real_ip_from 2803:f800::/32;
90+
#set_real_ip_from 2405:b500::/32;
91+
#set_real_ip_from 2405:8100::/32;
9592
real_ip_header CF-Connecting-IP;
9693

9794

95+
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem
96+
# ssl_dhparam /etc/ssl/dhparam.pem;
97+
98+
9899
# SSL PCI Compliance
99100
ssl_session_cache shared:SSL:10m;
100-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
101+
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
101102
ssl_prefer_server_ciphers on;
102103
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
103104

install/debian/9/nginx/nginx.conf

Lines changed: 24 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@
22
user www-data;
33
worker_processes auto;
44
worker_rlimit_nofile 65535;
5-
timer_resolution 50ms; #In order to free some CPU cycles
65
error_log /var/log/nginx/error.log crit;
76
pid /var/run/nginx.pid;
87

@@ -71,33 +70,35 @@ http {
7170

7271

7372
# Cloudflare https://www.cloudflare.com/ips
74-
set_real_ip_from 103.21.244.0/22;
75-
set_real_ip_from 103.22.200.0/22;
76-
set_real_ip_from 103.31.4.0/22;
77-
set_real_ip_from 104.16.0.0/12;
78-
set_real_ip_from 108.162.192.0/18;
79-
set_real_ip_from 131.0.72.0/22;
80-
set_real_ip_from 141.101.64.0/18;
81-
set_real_ip_from 162.158.0.0/15;
82-
set_real_ip_from 172.64.0.0/13;
83-
set_real_ip_from 173.245.48.0/20;
84-
set_real_ip_from 188.114.96.0/20;
85-
set_real_ip_from 190.93.240.0/20;
86-
set_real_ip_from 197.234.240.0/22;
87-
set_real_ip_from 198.41.128.0/17;
88-
set_real_ip_from 2400:cb00::/32;
89-
set_real_ip_from 2606:4700::/32;
90-
set_real_ip_from 2803:f800::/32;
91-
set_real_ip_from 2405:b500::/32;
92-
set_real_ip_from 2405:8100::/32;
93-
set_real_ip_from 2c0f:f248::/32;
94-
set_real_ip_from 2a06:98c0::/29;
73+
set_real_ip_from 199.27.128.0/21;
74+
set_real_ip_from 173.245.48.0/20;
75+
set_real_ip_from 103.21.244.0/22;
76+
set_real_ip_from 103.22.200.0/22;
77+
set_real_ip_from 103.31.4.0/22;
78+
set_real_ip_from 141.101.64.0/18;
79+
set_real_ip_from 108.162.192.0/18;
80+
set_real_ip_from 190.93.240.0/20;
81+
set_real_ip_from 188.114.96.0/20;
82+
set_real_ip_from 197.234.240.0/22;
83+
set_real_ip_from 198.41.128.0/17;
84+
set_real_ip_from 162.158.0.0/15;
85+
set_real_ip_from 104.16.0.0/12;
86+
set_real_ip_from 172.64.0.0/13;
87+
#set_real_ip_from 2400:cb00::/32;
88+
#set_real_ip_from 2606:4700::/32;
89+
#set_real_ip_from 2803:f800::/32;
90+
#set_real_ip_from 2405:b500::/32;
91+
#set_real_ip_from 2405:8100::/32;
9592
real_ip_header CF-Connecting-IP;
9693

9794

95+
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem
96+
# ssl_dhparam /etc/ssl/dhparam.pem;
97+
98+
9899
# SSL PCI Compliance
99100
ssl_session_cache shared:SSL:10m;
100-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
101+
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
101102
ssl_prefer_server_ciphers on;
102103
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
103104

install/ubuntu/14.04/nginx/nginx.conf

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,9 +92,13 @@ http {
9292
real_ip_header CF-Connecting-IP;
9393

9494

95+
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem
96+
# ssl_dhparam /etc/ssl/dhparam.pem;
97+
98+
9599
# SSL PCI Compliance
96100
ssl_session_cache shared:SSL:10m;
97-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
101+
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
98102
ssl_prefer_server_ciphers on;
99103
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
100104

install/ubuntu/16.04/nginx/nginx.conf

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -70,33 +70,35 @@ http {
7070

7171

7272
# Cloudflare https://www.cloudflare.com/ips
73+
set_real_ip_from 199.27.128.0/21;
74+
set_real_ip_from 173.245.48.0/20;
7375
set_real_ip_from 103.21.244.0/22;
7476
set_real_ip_from 103.22.200.0/22;
7577
set_real_ip_from 103.31.4.0/22;
76-
set_real_ip_from 104.16.0.0/12;
77-
set_real_ip_from 108.162.192.0/18;
78-
set_real_ip_from 131.0.72.0/22;
7978
set_real_ip_from 141.101.64.0/18;
80-
set_real_ip_from 162.158.0.0/15;
81-
set_real_ip_from 172.64.0.0/13;
82-
set_real_ip_from 173.245.48.0/20;
83-
set_real_ip_from 188.114.96.0/20;
79+
set_real_ip_from 108.162.192.0/18;
8480
set_real_ip_from 190.93.240.0/20;
81+
set_real_ip_from 188.114.96.0/20;
8582
set_real_ip_from 197.234.240.0/22;
8683
set_real_ip_from 198.41.128.0/17;
84+
set_real_ip_from 162.158.0.0/15;
85+
set_real_ip_from 104.16.0.0/12;
86+
set_real_ip_from 172.64.0.0/13;
8787
#set_real_ip_from 2400:cb00::/32;
8888
#set_real_ip_from 2606:4700::/32;
8989
#set_real_ip_from 2803:f800::/32;
9090
#set_real_ip_from 2405:b500::/32;
9191
#set_real_ip_from 2405:8100::/32;
92-
#set_real_ip_from 2c0f:f248::/32;
93-
#set_real_ip_from 2a06:98c0::/29;
9492
real_ip_header CF-Connecting-IP;
9593

9694

95+
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem
96+
# ssl_dhparam /etc/ssl/dhparam.pem;
97+
98+
9799
# SSL PCI Compliance
98100
ssl_session_cache shared:SSL:10m;
99-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
101+
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
100102
ssl_prefer_server_ciphers on;
101103
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
102104

install/ubuntu/18.04/nginx/nginx.conf

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
user www-data;
33
worker_processes auto;
44
worker_rlimit_nofile 65535;
5-
error_log /var/log/nginx/error.log;
5+
error_log /var/log/nginx/error.log crit;
66
pid /var/run/nginx.pid;
77

88

@@ -19,14 +19,14 @@ http {
1919
sendfile on;
2020
tcp_nopush on;
2121
tcp_nodelay on;
22-
client_header_timeout 60s;
23-
client_body_timeout 60s;
22+
client_header_timeout 1m;
23+
client_body_timeout 1m;
2424
client_header_buffer_size 2k;
2525
client_body_buffer_size 256k;
2626
client_max_body_size 256m;
27-
large_client_header_buffers 4 8k;
28-
send_timeout 60s;
29-
keepalive_timeout 30s;
27+
large_client_header_buffers 4 8k;
28+
send_timeout 30;
29+
keepalive_timeout 60 60;
3030
reset_timedout_connection on;
3131
server_tokens off;
3232
server_name_in_redirect off;
@@ -50,11 +50,9 @@ http {
5050

5151
# Compression
5252
gzip on;
53-
gzip_static on;
54-
gzip_vary on;
55-
gzip_comp_level 6;
56-
gzip_min_length 1024;
57-
gzip_buffers 16 8k;
53+
gzip_comp_level 9;
54+
gzip_min_length 512;
55+
gzip_buffers 8 64k;
5856
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
5957
gzip_proxied any;
6058
gzip_disable "MSIE [1-6]\.";
@@ -65,40 +63,42 @@ http {
6563
proxy_set_header X-Real-IP $remote_addr;
6664
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6765
proxy_pass_header Set-Cookie;
66+
proxy_connect_timeout 90;
67+
proxy_send_timeout 90;
68+
proxy_read_timeout 90;
6869
proxy_buffers 32 4k;
69-
proxy_connect_timeout 30s;
70-
proxy_send_timeout 90s;
71-
proxy_read_timeout 90s;
7270

73-
71+
7472
# Cloudflare https://www.cloudflare.com/ips
73+
set_real_ip_from 199.27.128.0/21;
74+
set_real_ip_from 173.245.48.0/20;
7575
set_real_ip_from 103.21.244.0/22;
7676
set_real_ip_from 103.22.200.0/22;
7777
set_real_ip_from 103.31.4.0/22;
78-
set_real_ip_from 104.16.0.0/12;
79-
set_real_ip_from 108.162.192.0/18;
80-
set_real_ip_from 131.0.72.0/22;
8178
set_real_ip_from 141.101.64.0/18;
82-
set_real_ip_from 162.158.0.0/15;
83-
set_real_ip_from 172.64.0.0/13;
84-
set_real_ip_from 173.245.48.0/20;
85-
set_real_ip_from 188.114.96.0/20;
79+
set_real_ip_from 108.162.192.0/18;
8680
set_real_ip_from 190.93.240.0/20;
81+
set_real_ip_from 188.114.96.0/20;
8782
set_real_ip_from 197.234.240.0/22;
8883
set_real_ip_from 198.41.128.0/17;
84+
set_real_ip_from 162.158.0.0/15;
85+
set_real_ip_from 104.16.0.0/12;
86+
set_real_ip_from 172.64.0.0/13;
8987
#set_real_ip_from 2400:cb00::/32;
9088
#set_real_ip_from 2606:4700::/32;
9189
#set_real_ip_from 2803:f800::/32;
9290
#set_real_ip_from 2405:b500::/32;
9391
#set_real_ip_from 2405:8100::/32;
94-
#set_real_ip_from 2c0f:f248::/32;
95-
#set_real_ip_from 2a06:98c0::/29;
9692
real_ip_header CF-Connecting-IP;
9793

9894

95+
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem
96+
# ssl_dhparam /etc/ssl/dhparam.pem;
97+
98+
9999
# SSL PCI Compliance
100100
ssl_session_cache shared:SSL:10m;
101-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
101+
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
102102
ssl_prefer_server_ciphers on;
103103
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
104104

src/deb/nginx/nginx.conf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,8 @@ http {
3737

3838

3939
# SSL PCI Compliance
40-
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
41-
ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
40+
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
41+
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
4242
ssl_session_cache shared:SSL:10m;
4343
ssl_prefer_server_ciphers on;
4444

0 commit comments

Comments
 (0)