andrewjoy.co.uk
Hello
Welcome, not much here at the moment. Will be content soon.
NGINX Security
DNS CCA
You should add a DNS CAA record each domain or sub domain for letsencrypt.org add this on your DNS provider. Provider has to support CCA records, cloudflare does however i would not use all the crapy features they provide unless your running a huge website or somthing, just use DNS.
SSL Settings
We want to use only modern encryption for SSL, so we disable TLSv1.0 and 1.1 we also disable any insecure cipers. This will cause some older browsers or opperating systems to throw an error e.g Safari 8 and older for iOS and OSX and Windows Phone 8.1 and older (so the three people who have windows phone 8.1 devices are out of luck). We also enable Strict Transport Security and some other things.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
Harden NGINX
We harden NGINX against some basic attacks, we again disable TLSv1.0 and 1.1, we could remove this from the default nginx.conf file as its in options-ssl-nginx.conf but its doing no harm.
NGINX config
File to edit /etc/nginx/nginx.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
server_tokens off;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
Site Config
File to edit /etc/nginx/sites-available/* ( your config file)
limit_except GET HEAD POST { deny all; }
listen [::]:443 ssl ipv6only=on http2;
listen 443 ssl http2;
Testing
SSL config: ssllabs.com! (you should get an A+)
HTTP/2: tools.keycdn.com
HTTP Markup: validator.w3.org
Thanks
For ciphers: fr921.wordpress.com
Nginx Security: linuxtechi.com
SSL Config: ssl-config.mozilla.org
Email Server Settings
Below is the config for my email server as a reminder to myself. To add a new user:
useradd -G mail -m $username
set a password
passwd $username
SERVER: mail.andrewjoy.co.uk
IN: 993 SSL/TLS
OUT: STARTTLS 587
USER: users unix username