nginx web server - poul · pdf filenginx master process worker process 1 worker process 2...
TRANSCRIPT
NGINX Web Server
Tommaso Sardellisardellitommaso[at]gmailcom
Corsi GNULinux Avanzati 2016Politecnico Open unix Lab
11th May 2016
Todayrsquos topic
What is a web server How do I configure one Security (Itrsquos dangerous to go alone)
2 of 73
Whoops
3 of 73
Thatrsquos better
4 of 73
Even better
5 of 73
Disclaimer
6 of 73
Table of Contents
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links7 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links8 of 73
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Todayrsquos topic
What is a web server How do I configure one Security (Itrsquos dangerous to go alone)
2 of 73
Whoops
3 of 73
Thatrsquos better
4 of 73
Even better
5 of 73
Disclaimer
6 of 73
Table of Contents
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links7 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links8 of 73
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Whoops
3 of 73
Thatrsquos better
4 of 73
Even better
5 of 73
Disclaimer
6 of 73
Table of Contents
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links7 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links8 of 73
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Thatrsquos better
4 of 73
Even better
5 of 73
Disclaimer
6 of 73
Table of Contents
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links7 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links8 of 73
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Even better
5 of 73
Disclaimer
6 of 73
Table of Contents
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links7 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links8 of 73
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Disclaimer
6 of 73
Table of Contents
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links7 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links8 of 73
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Table of Contents
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links7 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links8 of 73
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links8 of 73
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
What is a Web Server
A web server is a software that processes requests via HTTP The primary function of a web server is to store process and deliverweb pages to browsers clients
Many generic web servers also support server-side scripting usingPHP or other scripting languages
9 of 73
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
First things first HTTP
HTTP is the foundation of data communication for the (guess what)World Wide Web (yay) HTTP functions as a requestndashresponse protocol
The client submits an HTTP request message to the server The server performs some functions and returns a response message
such as HTML files or other content
The response contains completion status information about therequest and may also contain requested content in its messagebody
10 of 73
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
HTTP Request Message
An HTTP request message is composed of three parts An HTTP Method and a request URI
(GET | POST | PUT | DELETE | PATCH | |) indexhtmlHTTP11
Zero o more Headers Host Connection Cookie Cache-Control User-Agent
X-Forwarded-Host many more
Optionally a message Body Useful if you are uploading something or submitting data to an html
form
11 of 73
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
HTTP Response Message
Nothing fancy just like a request message but instead of the HTTPmethod you have The Status code (404 not found anyone)
1xx Informational - Request received continuing process (good) 2xx Success - The action was successfully received understood and
accepted (good) 3xx Redirection - Further action must be taken in order to complete
the request (good) 4xx Client Error - The request contains bad syntax or cannot be
fulfilled (bad) 5xx Server Error - The server failed to fulfill an apparently valid
request (badder D)
12 of 73
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Enough talk lemme see
telnet wwwpoulorg 80Trying 17631102216Connected to wwwpoulorgEscape character is rsquo^]rsquoGET HTTP 11Host wwwpoulorg
curl -i https wwwpoulorg
http https wwwpoulorg(requires the httpie package)
13 of 73
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Enough talk lemme see
HTTP 11 200 OKCache -Control max -age=3 must -revalidateConnection keep -aliveContent -Encoding gzipContent -Length 7421Content -Type texthtml charset=UTF -8Date Sun 08 May 2016 192132 GMTStrict -Transport -Security max -age =15768000WP -Super -Cache Served supercache file from PHPX-Answer 42X-Fact systemd is bloated
lthtml lang=it -ITgtlthead [] gt
lttitle gtPOuL Politecnico Open unix Labs lttitle gt
14 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links15 of 73
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
What does rsquoHersquo have that I donrsquot
Lightweight Fast A pleasure to configure (shame on you Apache) Versatile (reverse proxy load balancer) (Modular)
16 of 73
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
NGINX Architecture
There are two different kinds of process Master process Itrsquos the main process it runs as root and fulfillstwo main tasks Read the configuration files Open the socket used to communicate with the worker processes (Slack off for the rest of the time)
Worker processes one or more processes run as unprivileged user(www-data on Debian) They do the real hard work managing all the HTTP requests coming
from thousands of clients (They work out in their free time) They donrsquot have free time
17 of 73
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
NGINX Architecture
Nginx Master Process
Worker P
rocess 1
Worker P
rocess 2
Worker P
rocess 3
Worker P
rocess n
Request Response 1
Request Response 2
Request Response 3
Request Response n
18 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links19 of 73
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Can I try this at home
20 of 73
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
NAT
NAT21 of 73
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
DDNS
NATDDNS22 of 73
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
One image to rule them all
17631102216
19216811
19216812
19216813
9523720550
23 of 73
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
To sum up
NAT (port forwadingvirtual server) DDNS (Duck DNS Afraid no-ip) Happy Googling D
24 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links25 of 73
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
apt-get install
Debian Stable (Jessie at the time of writing) provides threedifferent flavours of nginx (itrsquos modular remember) nginx-light just a small subset of core modules nginx (nginx-full) he is your man nginx-extras bloated editionIf you want to see the full comparisonIf you want the (almost) latest version install it from the Backports
26 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Installation Complete
Check the installed version
sudo nginx -v
Get the full list of the enabled modules
sudo nginx -V
Look for a specific module
sudo nginx -V 2gtamp1 | grep --color module_name
27 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links28 of 73
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
nginxconf
The good olrsquo days of httpdconf and htaccess have ended nginxconf kicks in And your days get even better (Maybe) ^^rsquo
29 of 73
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Contexts
nginxconf is divided into five four contexts blocks (main)events(1) http(1) server(n) and location(n)
There is a hierarchy the events block is standalone httpcontains server blocks a server block contains location blocks
Directives defined in an higher block (like http) affect all theunderlying blocks (server and location)
Pro Tip apply directives in the highest context available
30 of 73
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
nginxconf stripped-down
user www -dataworker_processes 1pid runnginxpid
events worker_connections 128
http
server
location
31 of 73
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Every time you do this a kitten dies
http
server
location root varwwwhtml
location another root varwwwhtml
32 of 73
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
VirtualHosts P
httpserver
listen 80server_name exampleorg wwwexampleorg
server listen 80server_name poulorg wwwpoulorg
server listen 80server_name fluffykittensit wwwfluffykittensit
33 of 73
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
location blocks
When we are in a location context we are usually dealing with filesand folders
Location diectives allow us to tell NGINX what to do when aspecific resource is requested
Such resource can be targeted using an exact path In this case we will prefix the uri with ldquo=rdquo
Alternatively we can rely on regex matching ~ prefix for case sensitive matching ~ prefix for case insensitive matching
Syntax l o c a t i o n [ = | ~ | ~lowast | ^~ ] u r i
34 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Examples or GTFO
When I visit httpexampleorgdownloads I want a list of all thefiles in that folder
l o c a t i o n ~ download au to i ndex on
We donrsquot want our users to execute scripts from write accessbilefolders RIGHT
l o c a t i o n ~lowast ( images | cache | media | l o g s | tmp ) lowast ( php | p l | py ) $ r e t u r n 403 e r ro r_page 403 403 _er ro r html
35 of 73
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Make yourself comfortable
36 of 73
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Just Kidding
Demo
37 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links38 of 73
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
PHP-FPM Architecture
Request Nginx Socket
FastCGI Wrapper Wordpress
FastCGI Wrapper Drupal
FastCGI Wrapper ownCloud
FastCGI Wrapper $PHP_WebApp
39 of 73
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
php-fpmconf
sudo apt-get install php5-fpm sudo vimemacsatom(flame)etcphp5fpmpooldwwwconf
listen = varrunphp5-fpmsock sudo service php5-fpm restart
40 of 73
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
No way I want PHP 7
sudo apt-get install php70-fpm (httpspackagessuryorgphp) sudo vim (we have a winner)etcphp70fpmpooldwwwconf
listen = runphpphp70-fpmsock sudo service php70-fpm restart
41 of 73
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Demo
Demo
42 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links43 of 73
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
ldquoTo infinity and beyondrdquo
Ruby RailsSinatraPuma Python FlaskTornadoDjango (the D is silent) JavaScript NodejsGhost Anything TransmissionSyncthingympd
44 of 73
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Always the same pattern
A service running behind some port (8000 8080 8384 9091 etc) You want to access it without opening all those ports in yourfirewall
You want advanced settings Authentication SSLTLS
45 of 73
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Demo
Demo
46 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links47 of 73
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Itrsquos a conspiracy
48 of 73
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
HTTPS Oh yes the green lock |
SSLTLS in a nutshell Choose a fast symmetric cipher (like AES) This is called well thecipher
Choose a random key for that cipher This is called the sessionkey
Encrypt that key using RSA (public key crypto) and send it to theperson yoursquore communicating with
Then you both have the same AES key and can encrypt all yourcommunications back and forth after that
The NSA is sad (
49 of 73
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Alice is suspicious
Everything is encrypted awesome but is Bob well Bob A digital certificate is an electronic document used to proveownership of a public key
The certificate includes information about the key its ownerrsquosidentity and the digital signature of a Certification Authority
A Certification Authority(CA) is an entity that issues digitalcertificates and verifies that the certificatersquos content is correct
50 of 73
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Arya
51 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links52 of 73
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Letrsquos Encrypt will be released any second now
53 of 73
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
any second now
54 of 73
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
aaaaany second now
55 of 73
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
now
56 of 73
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
57 of 73
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
58 of 73
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Thank you
59 of 73
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
So we were saying Letrsquos Encrypt
60 of 73
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Features - sounds good
Free Automatic Secure Transparent Open Cooperative
61 of 73
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Under the hood
When you run the letsencrypt client a few tasks are performedhttpsletsencryptorghow-it-works Domain Validation (DNS or HTTP)
Provisioning a DNS record under examplecom Provisioning an HTTP resource under a well-known URI on
httpsexamplecom
Certificate Issuance Repeat every 23 months (yes a script would be helpful)
62 of 73
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Plugins
httpsletsencryptreadthedocsioenlatestusinghtml apache Automates obtaining and installing a cert with Apache 24on Debian-based distributions
webroot Obtains a cert by writing to the webroot directory of analready running webserver
standalone Uses a ldquostandalonerdquo webserver to obtain a certRequires port 80 or 443 to be available
manual Helps you obtain a cert by giving you instructions toperform domain validation yourself
nginx Very experimental and not included in letsencrypt-auto D
63 of 73
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Demo
Demo
64 of 73
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Outline
IntroductionHTTP 101NGINX ArchitectureCan I try this at home
Installation and ConfigurationInstalling on DebianConfigurationPHP-FPMReverse Proxy
SecuritySSLTLS and HTTPSLetrsquos EncryptHTTPS Hardening
Links65 of 73
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Meet your new best friend (SSL Test)
httpswwwssllabscomssltestindexhtml
66 of 73
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
HTTP Strict Transport Security (HSTS)
It is an HTTP header sent from the server to the client Such header informs the client that HTTPS is availbale for therequested website
The ldquomax-agerdquo parameters sets the validity of this information (inseconds)
67 of 73
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Enable HSTS in NGINX
Enabling HSTS is as simple as adding a common HTTP headerserver
listen 443 ssl
Force HSTSadd_header Strict -Transport -Security max -age =15768000
68 of 73
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
Perfect Forward Secrecy (PFS)
Letrsquos say someone intercepts and stores all our encryptedcommunications I know who would ever do that (cough)
If the private key is compromiseddeciphered all the previouscommunications could be unencrypted and read
Solution Use a new key for each session Call that key ldquoephimeralrdquo
69 of 73
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
PFS Pretty please with sugar on top
Just use the right cipherserver
listen 443 ssl
ssl_prefer_server_ciphers onssl_ciphers rsquoECDHE -RSA -AES128 -GCM -SHA256 rsquo
70 of 73
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
NGINX Links
Getting Started
NGINX PitfallsNGINX Admin GuideNGINX PrimerNGINXTIPSNGINX Doc and Modules ReferenceUnderstanding Nginx Server and Location Block Selection AlgorithmsUnderstanding the Nginx Configuration File Structure andConfiguration Contexts
71 of 73
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
HTTPS Links
HTTPS
BetterCryptoMozilla Config GeneratorCipherlistWhy You Should Always Use HTTPSHardening NGINX SSLTSL ConfigurationStrong SSL Security on nginx
72 of 73
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-
License
mediaDatiSyncthingslide_nginx2015imagescc-by-sa_iconpng
Questrsquoopera egrave rilasciata sotto la licenza Creative Commons Attribution-Share Alike 40International License Per visualizzare una copia di questa licenza visitarehttpcreativecommonsorglicensesby-sa40 o inviare una lettera a CreativeCommons 444 Castro Street Suite 900 Mountain View California 94041 USA
httpswwwpoulorg
73 of 73
- Introduction
-
- HTTP 101
- NGINX Architecture
- Can I try this at home
-
- Installation and Configuration
-
- Installing on Debian
- Configuration
- PHP-FPM
- Reverse Proxy
-
- Security
-
- SSLTLS and HTTPS
- Lets Encrypt
- HTTPS Hardening
-
- Links
-