January 21, 201511 yr Hey Everyone, I would recommend putting your domain though these tests https://www.ssllabs.com/ssltest/analyze.html?d= I doubt we are a large target for anyone, but its always good to be up to date on security. More info here: https://cipherli.st/
January 21, 201511 yr Are you going to disable SSLv3 from the docker? or is that something we should do? I got a C rating due to the SSLv3 being active. Not sure how to correct this? This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO » Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain. MORE INFO » This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO » The server does not support Forward Secrecy with the reference browsers. MORE INFO » Looking at that second link, it looks like something we do in our apache config, right?
January 21, 201511 yr Author Are you going to disable SSLv3 from the docker? or is that something we should do? I got a C rating due to the SSLv3 being active. Not sure how to correct this? Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain. MORE INFO » This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO » The server does not support Forward Secrecy with the reference browsers. MORE INFO » Looking at that second link, it looks like something we do in our apache config, right? This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO » Make sure proxy-config.conf SSLProtocol All -SSLv2 -SSLv3 Has -SSLv3 This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO » Make sure proxy-config.conf has: SSLCipherSuite AES128+EECDH:AES128+EDH
November 11, 201510 yr Just implemented my reverse proxy: Thank you smdion for your posts/blog/etc, those were very helpful.
November 11, 201510 yr Author Just implemented my reverse proxy: Thank you smdion for your posts/blog/etc, those were very helpful. Blog is a little out of date with my migration to the linuxserver team. Just finished writing the new ones - https://www.linuxserver.io/index.php/overview-apache-reverseproxy-with-docker/. Glad they still helped!
November 11, 201510 yr Just did the test, I get a "A". reason seems to be the intermediate cert. I really doubt that: Look at my Nginx config and see if something can be added to your settings: server { server_name example.com; listen 443 ssl; ### Set Certificates ### ssl_certificate /etc/nginx/certs/bundle.crt; ssl_certificate_key /etc/nginx/certs/startssl_key.key; ### Add Diffie–Hellman key exchange ### ssl_dhparam /etc/nginx/certs/dhparam.pem; ### Disable SSL by enforcing TLS ### ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ### Add some ciphers and reject weaker ones ### ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Front-End-Https on; ### Other Settings ### client_max_body_size 0m; location /owncloud/ { ### Proxy Pass Info ### proxy_pass https://192.168.0.100:8000/; ### Set headers ### proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ### Set timeouts ### proxy_read_timeout 600s; proxy_send_timeout 600s; proxy_connect_timeout 600s; } location /couch/ { proxy_pass http://192.168.0.100:5050/couch/; } location /nzbget/ { proxy_pass http://192.168.0.100:6789/; } location /sonarr/ { proxy_pass http://192.168.0.100:8989/sonarr/; } }
November 11, 201510 yr Just did the test, I get a "A". reason seems to be the intermediate cert. I really doubt that: Look at my Nginx config and see if something can be added to your settings: server { server_name example.com; listen 443 ssl; ### Set Certificates ### ssl_certificate /etc/nginx/certs/bundle.crt; ssl_certificate_key /etc/nginx/certs/startssl_key.key; ### Add Diffie–Hellman key exchange ### ssl_dhparam /etc/nginx/certs/dhparam.pem; ### Disable SSL by enforcing TLS ### ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ### Add some ciphers and reject weaker ones ### ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Front-End-Https on; ### Other Settings ### client_max_body_size 0m; location /owncloud/ { ### Proxy Pass Info ### proxy_pass https://192.168.0.100:8000/; ### Set headers ### proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ### Set timeouts ### proxy_read_timeout 600s; proxy_send_timeout 600s; proxy_connect_timeout 600s; } location /couch/ { proxy_pass http://192.168.0.100:5050/couch/; } location /nzbget/ { proxy_pass http://192.168.0.100:6789/; } location /sonarr/ { proxy_pass http://192.168.0.100:8989/sonarr/; } } I'm using Apache as well and get an A not A+ But have been talking to smdion about learning to use nginx, this config is just what I need to get started. Now off to tell smdion to finish work on the nginx docker container! Thanks for posting this gfjardim...
November 11, 201510 yr Author So after seeing gfjardim get an A+. I got an A+ on Apache. Here my my config: <VirtualHost *:443> ServerName example.com ServerAlias example.com DocumentRoot /config/www/ SSLEngine on SSLProxyEngine On RewriteEngine On ProxyPreserveHost On Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLHonorCipherOrder on SSLCertificateFile /config/keys/cert.crt SSLCertificateKeyFile /config/keys/cert.key SSLCertificateChainFile /config/keys/sub.class1.server.ca.pem <Location /plexemail/> ProxyPass http://10.10.10.12:8585/ ProxyPassReverse http://10.10.10.12:8585/ </Location> <Location /rutorrent/> ProxyPass http://10.10.10.12:8089/ ProxyPassReverse http://10.10.10.12:8089/ </Location> <Location /sonarr> ProxyPass http://10.10.10.12:8989/sonarr ProxyPassReverse http://10.10.10.12:8989/sonarr AuthUserFile /config/.htpasswd AuthType Basic AuthName "Sonarr - Proxy" Require user admin </Location> <Location /nzbget> ProxyPass http://10.10.10.12:6789 ProxyPassReverse http://10.10.10.12:6789 </Location> <Location /couchpotato> ProxyPass http://10.10.10.12:5050/couchpotato ProxyPassReverse http://10.10.10.12:5050/couchpotato </Location> <Directory /> Options Indexes FollowSymLinks MultiViews </Directory> </VirtualHost> <VirtualHost *:80> ServerName example.com ServerAlias example.com DocumentRoot /config/www/ Redirect permanent / https://www.example.com/ </VirtualHost>
November 11, 201510 yr So after seeing gfjardim get an A+. I got an A+ on Apache. Here my my config: Congrats, that's very nice!!!
November 11, 201510 yr Thanks gfjardim and smdion, now I'm getting an A+ too.. Got no excuse to learn nginx now though...
November 11, 201510 yr Thanks gfjardim and smdion, now I'm getting an A+ too.. Got no excuse to learn nginx now though... That's not true; we must learn something new every day!
November 11, 201510 yr Still at "A" because I always get that message : Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain I don't know how to fix this... anyway, A is better than C I had previously *** EDIT *** I found out the reason. I had to re-download a newer sub.class1.server.ca.pem from StartSSL, now I get the A+
Archived
This topic is now archived and is closed to further replies.