This is the 10th day of my participation in Gwen Challenge

Original statement

This article has been reprinted by many websites. I hereby declare that both the original Turing community article and the gold digging article are my own creation, and the other sources are reprinted by others.

preface

HTTP is a plaintext hypertext transfer protocol, which is easy to be intercepted and used by a third party. Therefore, HTTPS adds an SSL layer to HTTP to secure HTTP access and encrypts the content transmitted between the browser and the server.

Basic SSL configuration

Generally, you need to configure the following basic configuration items to use SSL certificates

server {
        listen   80;
		Configure SSL and SPDY for port 443
        listen 443 ssl spdy;
		# SPDY can minimize network latency, improve network speed, and optimize user's network experience. SPDY is not intended as an alternative to HTTP, but rather an enhancement of the HTTP protocol. Features of the new protocol include data stream multiplexing, request prioritization, and HTTP header compression. Google said pages loaded 64 percent faster in lab tests after the introduction of SPDY.
        server_name www.domain.com; Enter the domain name of the binding certificate
        ssl on;# open SSL
        ssl_certificate baidu.crt; # SSL public key
        ssl_certificate_key baidu.key;# SSL private key
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Enable only TLS series protocols
        ssl_ciphersECDHE-RSA-AES128-GCM-SHA256:HIGH:! aNULL:! MD5:! RC4:! DHE:! kEDH;SSL suite configuration, which varies by certificate
        location / {
            root   html; # site directory
            indexindex.html index.htm; }}Copy the code

Optimizing the allocation of

If the preceding configuration items are correctly configured, the HTTPS small green lock can be implemented. However, many sites are reluctant to introduce HTTPS, in addition to its cumbersome configuration, and HTTPS configuration will be a small decrease in website access speed, but HTTPS can not optimize the loading speed.

	 Configure SSL cache
ssl_session_cache shared:SSL:20m; The size of the cache pool is set to 20M, which can hold approximately 80,000 sessions
ssl_session_timeout  5m;  # cache time
	 # Enable OCSP to enable the browser to obtain the certificate revocation status faster
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/startssl_trust_chain.crt;
Copy the code

HSTS head deployment

HTTP Strict Transport Security (HSTS) : Enables the browser to encrypt the entire domain name space using HTTPS. It has the following advantages:

HSTS can prevent the browser from using invalid certificates (the default policy of the browser is to let the user decide whether to allow or not, and users often choose to continue access because they cannot distinguish between invalid certificates due to configuration problems and attacks, resulting in network attacks)

HSTS can still maintain HTTPS communication for:

The user saved the bookmark of the original site
Insecure cookies
HTTPS stripping attack
Content mix, but comply with CSP (Content Security Policy)

# HSTS deployment
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
Copy the code

A single configuration item is required to implement the HSTS header deployment.

The power of HSTS, in a nutshell, is that it enables the Web server to tell the browser never to use HTTP access and automatically replace all HTTP access to the site with HTTPS access on the browser side.

The problem with that is that most users, including browsers, still use port 80 for their first visit to the site, although port 80, for this visit, is potentially vulnerable.

Fortunately, Google maintains a pre-loaded list for Chrome, which is hard-coded into the Chrome browser. The list has since been adopted by Firefox, Safari, IE 11 and Edge, among other major browsers.

When you meet the following criteria, you can apply to be added to the HSTS preloaded list, which will build your domain name into the new version of the browser, and will use HTTPS instead of 80 when users visit HSTS preloaded list sites.

A valid certificate;
Redirect all HTTP traffic to HTTPS;
Ensure HTTPS is enabled for all subdomains, especially the WWW subdomain;
Output HSTS response header:
- Max-age requires at least 18 weeks (10,886,400 seconds);
- Must specify includeSubdomains parameter;
- The preload parameter must be specified;

Add address to HSTS preloaded list (own access technique):

hstspreload.appspot.com/

It is important to note that unless it’s future has been planned to use HTTPS users, otherwise it is not necessary to join HSTS preload list, because, it difficult to undo after join, you can ask to cancel, but the data to update to the stable version of Chrome also take several versions of iteration, and other browsers is how to deal with the dissolution of the data There are no guarantees.

HPKP head deployment

The trust mechanism of the Internet is entirely dependent on the certificates issued by CA (certificate authority) vendors. Any CA vendor can issue a certificate of any domain name. As a result, attackers can start from CA vendors (for details, see the INTRUSION history of CA vendors). As a result, whitelisting of trusted cas is required. With the advent of public Key pinning technology, you can force you to designate the certificate issuing CA, and only those certificates issued by the same CA for your domain can be used. At present, there are three implementations of this technology, DANE (based on DNSSEC), HTTP public key pinning and TACK (Certificate key Trust Assurance), and HTTP public key pinning is the most used.

First you need to use Shell command to get two valid pin-sha256 based on the existing certificate (need to replace the file name of the command) :

Generated from a known key pair (*.key) :

openssl rsa -in lvtao.net_ssl.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
Copy the code

Generate from a known certificate request file (*.csr) :

openssl req -in lvtao.net.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Copy the code

Generated from a known certificate (*.crt) :

openssl x509 -in lvtao.net_bundle.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Copy the code

The HPKP header deployment can be achieved by writing the two keys generated by the certificate, one as the default and one as a backup, into the HPKP header and configuring the maximum expiration time.

HTTP Public Key Pinning (HPKP) is formatted as follows:

Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]
Copy the code

Examples of actual HPKP configuration:

# HPKP deployment
add_header Public-Key-Pins 'pin-sha256="DbqocEhMLF5ODJNP4WGefWkUwpR3BqKhdCHgjOi0yRs="; pin-sha256="DbqocEhMLF5ODJNP4WGefWkUwpR3BqKhdCHgjOi0yRs="; max-age=2592000; includeSubDomains';
Copy the code

Again, only one configuration item is required to implement the HPKP header deployment.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Under Linux | Nginx HTTPS security deployment best practices

Original statement

preface

Basic SSL configuration

Optimizing the allocation of

HSTS head deployment

HPKP head deployment

Under Linux | Nginx HTTPS security deployment best practices

Original statement

preface

Basic SSL configuration

Optimizing the allocation of

HSTS head deployment

HPKP head deployment

Related Posts

Iqiyi World Conference | Liu Wenfeng: How does technological innovation serve users and artists?

Cheat sheet of penetration test commands for ultra complete Linux machines

693. Alternate binary numbers