Guide to Nginx + SSL + SPDY

hi list,

i recently had to dig deeper into nginx + ssl-setup and came up with a
short documentation on how to setup and run nginx as
SSL-Gateway/Offload,
including SPDY. beside basic configuration this guide covers
HSTS-Headers,
Perfect Forward Secrecy(PFS) and the latest and greatest ssl-based
attacks
like
CRIME, BEAST, and Lucky Thirteen.

Link: http://www.mare-system.de/blog/page/1378546400/

the reason for this 321th guide to nginx+ssl: i did not found any valid
source that covers all aspects, including spdy and hsts, so i made this
collection and will keep it updated.

comments and critics appreciated

regards,

mex

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,242672,242672#msg-242672

This is a nice write-up. Thank you.

Does anyone know why SPDY is not enabled for the default builds yet, if
it’s in the “stable branch”? I just tried downloading 1.4.2 (CentOS 6
x64) and it’s not configured.

Thanks,
AJ

On Monday 09 September 2013 17:53:54 AJ Weber wrote:

This is a nice write-up. Thank you.

Does anyone know why SPDY is not enabled for the default builds yet, if
it’s in the “stable branch”? I just tried downloading 1.4.2 (CentOS 6
x64) and it’s not configured.

It requires OpenSSL 1.0.1, while CentOS 6.4 only has 1.0.0.

wbr, Valentin V. Bartenev

On 09/09/2013 03:53 PM, AJ Weber wrote:

This is a nice write-up. Thank you.

Does anyone know why SPDY is not enabled for the default builds yet, if
it’s in the “stable branch”? I just tried downloading 1.4.2 (CentOS 6
x64) and it’s not configured.

My guess is that’s because CentOS 6 does not have the newer openssl
version 1.0.1 which is required for SPDY.

Regards,
Patrick

Ugh. Thanks. I missed that.

-AJ

hi,

thanx everybody for comments.

a guid on howto nginx + authorization via client certs will be included
in
the next version of this document

i’ll investigate that gzip-comment, but from what i read so far:
http-compression even in https is ok, while ssl/tls-compression is not;
i’l
include any findings and solution, but i’m not finished with that yet.

regards,

mex

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,242672,242721#msg-242721

Updates:

  • SSL Client Authentication
  • BREACH
  • incorporated suggestions from the list

http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/

regards,

mex

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,242672,242815#msg-242815

On Thursday 12 September 2013 20:24:38 mex wrote:

Updates:

  • SSL Client Authentication
  • BREACH
  • incorporated suggestions from the list

http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/

In your section about BREACH requirements:

  • User-Data transfered via GET/POST - parameters

actually wrong statement. The right one is:

  • Reflect user-input in HTTP response bodies

(from breachattack.com)

wbr, Valentin V. Bartenev

We had a discussion on this list recently about using gzip in the SSL
block.

On Aug 17 Igor S. wrote:

You have to split the dual mode server section into two server server sections
and set “gzip off”
SSL-enabled on. There is no way to disable gzip in dual mode server section, but
if you really
worry about security in general the server sections should be different.

Hi Valentin,

In your section about BREACH requirements:

correct(ed)

thanx

mex

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,242672,242818#msg-242818

Dear Mr. or Ms. mex,

Could you please contact me [email protected] regarding this very
useful guide you have created? I have some specific questions and I
would also like to help out, if I can.

Thanks!

Paul

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs