andrewjoy.co.uk

Hello

Welcome, not much here at the moment. Will be content soon.

NGINX Security

DNS CCA

You should add a DNS CAA record each domain or sub domain for letsencrypt.org add this on your DNS provider. Provider has to support CCA records, cloudflare does however i would not use all the crapy features they provide unless your running a huge website or somthing, just use DNS.

SSL Settings

We want to use only modern encryption for SSL, so we disable TLSv1.0 and 1.1 we also disable any insecure cipers. This will cause some older browsers or opperating systems to throw an error e.g Safari 8 and older for iOS and OSX and Windows Phone 8.1 and older (so the three people who have windows phone 8.1 devices are out of luck). We also enable Strict Transport Security and some other things.


ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

Harden NGINX

We harden NGINX against some basic attacks, we again disable TLSv1.0 and 1.1, we could remove this from the default nginx.conf file as its in options-ssl-nginx.conf but its doing no harm.

NGINX config

File to edit /etc/nginx/nginx.conf


ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

server_tokens off;

add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";

Site Config

File to edit /etc/nginx/sites-available/* ( your config file)


limit_except GET HEAD POST { deny all; }

listen [::]:443 ssl ipv6only=on http2;
listen 443 ssl http2;

Testing

SSL config: ssllabs.com! (you should get an A+)
HTTP/2: tools.keycdn.com
HTTP Markup: validator.w3.org

Thanks

For ciphers: fr921.wordpress.com
Nginx Security: linuxtechi.com
SSL Config: ssl-config.mozilla.org

Email Server Settings

Below is the config for my email server as a reminder to myself. To add a new user:


useradd -G mail -m $username

set a password


passwd $username

SERVER: mail.andrewjoy.co.uk
IN: 993 SSL/TLS
OUT: STARTTLS 587
USER: users unix username