Update default Nginx and Apache http server template to score A+ on security test (PCI HIPAA GDPR anti-hacking)

[chris001]

Update and add lines to the default Nginx and Apache templates to block well known attacks and improve protocol support, key exchange, and cipher strength, to score an A+ on the SSLlabs test.

Reference:

1. https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
2. https://www.ssllabs.com/ssltest/analyze.html?d=virtualmin.com

[jcameron]

That sounds reasonable - but what specific Apache changes are needed to get an A+? That test doesn't really say..

[chris001]

That sounds reasonable - but what specific Apache changes are needed to get an A+? That test doesn't really say..

• When you run the test on virtualmin.com, click here to do so: https://www.ssllabs.com/ssltest/analyze.html?d=virtualmin.com , you'll see, line by line, the reasons why the Virtualmin default config scores only a B. To summarize: Lack of DNS-CAA record, Weak ciphers allowed (RC4, and many other weak SSL ciphers, for example), and Weak protocols allowed (TLS 1.0 and TLS 1.1 for example).
• The verbal description of what it tests for is in the "SSL Server Rating Guide", and also, at the top of the page while the test is running.
• The default directives for nginx also must be upgraded, they also score quite poorly, and could score top grade with some tweaks. I'll make a pull request for nginx default template as soon as I can.

[chris001]

1. CAA DNS record generator: https://sslmate.com/labs/caa/
2. List of CA domains, to use in a dropdown: https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00023

[chris001]

The "Server templates" section is missing "Nginx (SSL and non-SSL) Website", so from where does Virtualmin pull in the template for new Nginx SSL and non-SSL virtual servers?:

[ChristopherW]

I've configured my Apache 2 to produce a pragmatic A+ result (not quite 100% on everything, I had to make some concessions on key strength and cipher suite) but I'd be happy to share the config with devs.

[chris001]

@ChristopherW Definitely, please share.

[chris001]

Test results at SSLLabs shows Virtualmin Default Apache 2.4 config scores: Certificate 100 Protocol Support 100 Key exchange 70 Cipher Strength 90 "This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO."

[chris001]

Would be nice to have the following added to default templates. These get the A+ score on SSLLabs:

Apache 2.x, in file: /etc/apache2/mods-available/ssl.conf

#Add to end of <IfModule mod_ssl.c> block.

#start A+ grade on SSLLabs.
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(128000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
#end A+ grade on SSLLabs.

nginx:

ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

[jcameron]

Not all of these are appropriate for all systems and all Nginx versions unfortunately, so I would be reluctant to make them the global default.

Best to make use of Virtualmin's existing support for default Apache / Nginx directives..

[iliajie]

I think I made Apache to be A+ on the tests last year. It must be possible to do for Nginx in much simpler way.

Jamie, I think this site will help, have a look.

https://ssl-config.mozilla.org/

[iliajie]

.. Intermediate type of configuration is pretty safe to use.

[jcameron]

@iliajie what do you mean by "intermediate type" ?

[iliajie]

I mean, it's the type that's used on the linked website.

Configuration
 * Modern
   - Services with clients that support TLS 1.3 and don't need backward compatibility
 * Intermediate
   - General-purpose servers with a variety of clients, recommended for almost all systems
 * Old
   - Compatible with a number of very old clients, and should be used only as a last resort

[iliajie]

I think we could consider Intermediate type of setup for our Nginx default configuration to score A. It must be safe for 99% of devices.

[chris001]

Good idea! Maybe a selector, for virtual server admin to select Modern, Intermediate, or Old. And select system global Default for virtual servers, default Intermediate?