Open chris001 opened 4 years ago
That sounds reasonable - but what specific Apache changes are needed to get an A+? That test doesn't really say..
That sounds reasonable - but what specific Apache changes are needed to get an A+? That test doesn't really say..
virtualmin.com
, click here to do so: https://www.ssllabs.com/ssltest/analyze.html?d=virtualmin.com , you'll see, line by line, the reasons why the Virtualmin default config scores only a B
. To summarize: Lack of DNS-CAA
record, Weak ciphers allowed (RC4
, and many other weak SSL ciphers, for example), and Weak protocols allowed (TLS 1.0
and TLS 1.1
for example).nginx
also must be upgraded, they also score quite poorly, and could score top grade with some tweaks. I'll make a pull request for nginx default template as soon as I can.The "Server templates" section is missing "Nginx (SSL and non-SSL) Website", so from where does Virtualmin pull in the template for new Nginx SSL and non-SSL virtual servers?:
I've configured my Apache 2 to produce a pragmatic A+ result (not quite 100% on everything, I had to make some concessions on key strength and cipher suite) but I'd be happy to share the config with devs.
@ChristopherW Definitely, please share.
Test results at SSLLabs shows Virtualmin Default Apache 2.4 config scores:
Certificate 100
Protocol Support 100
Key exchange 70
Cipher Strength 90
"This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO."
Would be nice to have the following added to default templates. These get the A+ score on SSLLabs:
Apache 2.x, in file: /etc/apache2/mods-available/ssl.conf
#Add to end of <IfModule mod_ssl.c> block.
#start A+ grade on SSLLabs.
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(128000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
#end A+ grade on SSLLabs.
nginx:
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
Not all of these are appropriate for all systems and all Nginx versions unfortunately, so I would be reluctant to make them the global default.
Best to make use of Virtualmin's existing support for default Apache / Nginx directives..
I think I made Apache to be A+ on the tests last year. It must be possible to do for Nginx in much simpler way.
Jamie, I think this site will help, have a look.
.. Intermediate type of configuration is pretty safe to use.
@iliajie what do you mean by "intermediate type" ?
I mean, it's the type that's used on the linked website.
Configuration
* Modern
- Services with clients that support TLS 1.3 and don't need backward compatibility
* Intermediate
- General-purpose servers with a variety of clients, recommended for almost all systems
* Old
- Compatible with a number of very old clients, and should be used only as a last resort
I think we could consider Intermediate type of setup for our Nginx default configuration to score A. It must be safe for 99% of devices.
Good idea! Maybe a selector, for virtual server admin to select Modern, Intermediate, or Old. And select system global Default for virtual servers, default Intermediate?
Update and add lines to the default Nginx and Apache templates to block well known attacks and improve protocol support, key exchange, and cipher strength, to score an A+ on the SSLlabs test.
Reference: