Guide to Nginx + SSL + SPDY

Rafa_F · September 8, 2013, 7:51pm

hi list,

i recently had to dig deeper into nginx + ssl-setup and came up with a
short documentation on how to setup and run nginx as
SSL-Gateway/Offload,
including SPDY. beside basic configuration this guide covers
HSTS-Headers,
Perfect Forward Secrecy(PFS) and the latest and greatest ssl-based
attacks
like
CRIME, BEAST, and Lucky Thirteen.

Link: http://www.mare-system.de/blog/page/1378546400/

the reason for this 321th guide to nginx+ssl: i did not found any valid
source that covers all aspects, including spdy and hsts, so i made this
collection and will keep it updated.

comments and critics appreciated

regards,

mex

Posted at Nginx Forum:

mex · September 9, 2013, 3:54pm

This is a nice write-up. Thank you.

Does anyone know why SPDY is not enabled for the default builds yet, if
it’s in the “stable branch”? I just tried downloading 1.4.2 (CentOS 6
x64) and it’s not configured.

Thanks,
AJ

mex · September 9, 2013, 5:10pm

On Monday 09 September 2013 17:53:54 AJ Weber wrote:

This is a nice write-up. Thank you.

Does anyone know why SPDY is not enabled for the default builds yet, if
it’s in the “stable branch”? I just tried downloading 1.4.2 (CentOS 6
x64) and it’s not configured.

It requires OpenSSL 1.0.1, while CentOS 6.4 only has 1.0.0.

wbr, Valentin V. Bartenev

mex · September 9, 2013, 5:10pm

On 09/09/2013 03:53 PM, AJ Weber wrote:

This is a nice write-up. Thank you.

Does anyone know why SPDY is not enabled for the default builds yet, if
it’s in the “stable branch”? I just tried downloading 1.4.2 (CentOS 6
x64) and it’s not configured.

My guess is that’s because CentOS 6 does not have the newer openssl
version 1.0.1 which is required for SPDY.

Regards,
Patrick

mex · September 9, 2013, 5:20pm

Ugh. Thanks. I missed that.

-AJ

mex · September 10, 2013, 1:32pm

hi,

thanx everybody for comments.

a guid on howto nginx + authorization via client certs will be included
in
the next version of this document

i’ll investigate that gzip-comment, but from what i read so far:
http-compression even in https is ok, while ssl/tls-compression is not;
i’l
include any findings and solution, but i’m not finished with that yet.

regards,

mex

Posted at Nginx Forum:

mex · September 12, 2013, 6:25pm

Updates:

SSL Client Authentication
BREACH
incorporated suggestions from the list

http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/

regards,

mex

Posted at Nginx Forum:

mex · September 12, 2013, 6:58pm

On Thursday 12 September 2013 20:24:38 mex wrote:

Updates:

SSL Client Authentication

BREACH

incorporated suggestions from the list

http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/

In your section about BREACH requirements:

User-Data transfered via GET/POST - parameters

actually wrong statement. The right one is:

Reflect user-input in HTTP response bodies

(from breachattack.com)

wbr, Valentin V. Bartenev

mex · September 9, 2013, 9:38pm

We had a discussion on this list recently about using gzip in the SSL
block.

On Aug 17 Igor S. wrote:

You have to split the dual mode server section into two server server sections
and set “gzip off”
SSL-enabled on. There is no way to disable gzip in dual mode server section, but
if you really
worry about security in general the server sections should be different.

mex · September 12, 2013, 8:37pm

Hi Valentin,

In your section about BREACH requirements:

correct(ed)

thanx

mex

Posted at Nginx Forum:

mex · September 14, 2013, 11:07pm

Dear Mr. or Ms. mex,

Could you please contact me [email protected] regarding this very
useful guide you have created? I have some specific questions and I
would also like to help out, if I can.

Thanks!

Paul