Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Security Test: Users of Nginx/Apache Reverse Proxy

Featured Replies

Are you going to disable SSLv3 from the docker?  or is that something we should do?

 

I got a C rating due to the SSLv3 being active.

 

Not sure how to correct this?

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.   MORE INFO »
Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.  MORE INFO »
This server accepts the RC4 cipher, which is weak. Grade capped to B.  MORE INFO »
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

 

Looking at that second link, it looks like something we do in our apache config, right?

  • Author

Are you going to disable SSLv3 from the docker?  or is that something we should do?

 

I got a C rating due to the SSLv3 being active.

 

Not sure how to correct this?

Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.  MORE INFO »
This server accepts the RC4 cipher, which is weak. Grade capped to B.  MORE INFO »
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

 

Looking at that second link, it looks like something we do in our apache config, right?

 

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.  MORE INFO »

 

Make sure proxy-config.conf

 

SSLProtocol All -SSLv2 -SSLv3

 

Has -SSLv3

 

This server accepts the RC4 cipher, which is weak. Grade capped to B.  MORE INFO »

 

Make sure proxy-config.conf has:

 

SSLCipherSuite AES128+EECDH:AES128+EDH

 

 

Thanks Smdion.  I'll do that as soon as I get home.

Thanks!  I now have an A rating.

  • 9 months later...

Just implemented my reverse proxy:

 

kTKt4lt.png

 

Thank you smdion for your posts/blog/etc, those were very helpful.

Just did the test, I get a "A".  reason seems to be the intermediate cert.

 

I really doubt that:

 

LJuVcQA.png

 

Look at my Nginx config and see if something can be added to your settings:

 

server {
  server_name example.com;
  listen 443 ssl;

  ### Set Certificates ###
  ssl_certificate /etc/nginx/certs/bundle.crt;
  ssl_certificate_key /etc/nginx/certs/startssl_key.key;

  ### Add Diffie–Hellman key exchange ###
  ssl_dhparam /etc/nginx/certs/dhparam.pem;

  ### Disable SSL by enforcing TLS ###
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ### Add some ciphers and reject weaker ones ###
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  
  ### Add HTTP Strict Transport Security ###
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  add_header Front-End-Https on;

  ### Other Settings ###
  client_max_body_size 0m;

  location /owncloud/ {
    ### Proxy Pass Info ###
    proxy_pass https://192.168.0.100:8000/; 

    ### Set headers ###
    proxy_set_header Accept-Encoding "";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    ### Set timeouts ###
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    proxy_connect_timeout 600s;
  }

  location /couch/ {
    proxy_pass http://192.168.0.100:5050/couch/;
  }

  location /nzbget/ {
    proxy_pass http://192.168.0.100:6789/;
  }

  location /sonarr/ {
    proxy_pass http://192.168.0.100:8989/sonarr/;
  }
}

Just did the test, I get a "A".  reason seems to be the intermediate cert.

 

I really doubt that:

 

LJuVcQA.png

 

Look at my Nginx config and see if something can be added to your settings:

 

server {
  server_name example.com;
  listen 443 ssl;

  ### Set Certificates ###
  ssl_certificate /etc/nginx/certs/bundle.crt;
  ssl_certificate_key /etc/nginx/certs/startssl_key.key;

  ### Add Diffie–Hellman key exchange ###
  ssl_dhparam /etc/nginx/certs/dhparam.pem;

  ### Disable SSL by enforcing TLS ###
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ### Add some ciphers and reject weaker ones ###
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  
  ### Add HTTP Strict Transport Security ###
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  add_header Front-End-Https on;

  ### Other Settings ###
  client_max_body_size 0m;

  location /owncloud/ {
    ### Proxy Pass Info ###
    proxy_pass https://192.168.0.100:8000/; 

    ### Set headers ###
    proxy_set_header Accept-Encoding "";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    ### Set timeouts ###
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    proxy_connect_timeout 600s;
  }

  location /couch/ {
    proxy_pass http://192.168.0.100:5050/couch/;
  }

  location /nzbget/ {
    proxy_pass http://192.168.0.100:6789/;
  }

  location /sonarr/ {
    proxy_pass http://192.168.0.100:8989/sonarr/;
  }
}

 

I'm using Apache as well and get an A not A+

 

But have been talking to smdion about learning to use nginx, this config is just what I need to get started.  Now off to tell smdion to finish work on the nginx docker container!  ;D

 

Thanks for posting this gfjardim...

  • Author

So after seeing gfjardim get an A+. I got an A+ on Apache. Here my my config:

 

oBvS7Ph.png

 

<VirtualHost *:443>
ServerName example.com
ServerAlias example.com
DocumentRoot /config/www/

SSLEngine on
SSLProxyEngine On
RewriteEngine On
ProxyPreserveHost On

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder on
SSLCertificateFile /config/keys/cert.crt
SSLCertificateKeyFile /config/keys/cert.key
SSLCertificateChainFile /config/keys/sub.class1.server.ca.pem

<Location /plexemail/>
	ProxyPass http://10.10.10.12:8585/
	ProxyPassReverse http://10.10.10.12:8585/
</Location>

<Location /rutorrent/>
	ProxyPass http://10.10.10.12:8089/
	ProxyPassReverse http://10.10.10.12:8089/
</Location>

<Location /sonarr>
	ProxyPass http://10.10.10.12:8989/sonarr
	ProxyPassReverse http://10.10.10.12:8989/sonarr
	AuthUserFile /config/.htpasswd
	AuthType Basic
	AuthName "Sonarr - Proxy"
	Require user admin
</Location>

<Location /nzbget>
	ProxyPass http://10.10.10.12:6789
	ProxyPassReverse http://10.10.10.12:6789
</Location>

<Location /couchpotato>
	ProxyPass http://10.10.10.12:5050/couchpotato
	ProxyPassReverse http://10.10.10.12:5050/couchpotato
</Location>

<Directory />
        	Options Indexes FollowSymLinks MultiViews
        </Directory>

</VirtualHost>

<VirtualHost *:80>
ServerName example.com
ServerAlias example.com
DocumentRoot /config/www/

Redirect permanent / https://www.example.com/

</VirtualHost>

So after seeing gfjardim get an A+. I got an A+ on Apache. Here my my config:

 

 

Congrats, that's very nice!!!

Thanks gfjardim and smdion, now I'm getting an A+ too..  ;D

 

Got no excuse to learn nginx now though...  :(

Thanks gfjardim and smdion, now I'm getting an A+ too..  ;D

 

Got no excuse to learn nginx now though...  :(

 

That's not true; we must learn something new every day!

Still at "A" because I always get that message :

 

Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain

 

I don't know how to fix this... anyway, A is better than C I had previously :)

 

*** EDIT ***

 

I found out the reason.  I had to re-download a newer sub.class1.server.ca.pem from StartSSL, now I get the A+

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.