Messages

46

German - Deutsch / Re: Einstellungen für schreibgeschützten Zugriff auf Weboberfläche

« on: February 21, 2022, 11:40:57 am »

Hat hier vielleicht jemand so einen "nur-lesend"-Zugang aktiv und könnte mir Screenshots der Konfiguration zukommen lassen?

47

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 18, 2022, 10:55:42 am »

You guys make me happy 

48

German - Deutsch / Re: IPv6 und Android

« on: February 18, 2022, 10:53:40 am »

Hast du mal versucht unter Schnittstellen -> Einstellungen -> IPv6 DHCP den Haken bei "Freigabe verhindern" rauszunehmen?

49

German - Deutsch / Re: Einstellungen für schreibgeschützten Zugriff auf Weboberfläche

« on: February 18, 2022, 10:49:06 am »

Hallo franco,

Danke.
Habe den Punkt gefunden.

Allerdings erscheint bei Aktivierung diese Meldung:

Rechte: Bitte beachten Sie, dass diese Option nicht alle Bereiche des Systems abdeckt und in einer zukünftigen Version entfernt wird.

Wird es dann in zukünftigen Versionen eine Alternative dazu geben?

Nur mit diesen Rechten allein war eine Anmeldung aber nicht möglich.
Ich habe dem Benutzer daraufhin noch einer Gruppe zugewiesen und der Gruppe die Berechtigunge "Lobby: Login / Logout / Dashboard" zugewiesen.

Eiine Anmeldung war dann möglich, der Benutzer hatte dann aber nur Zugriff auf das Dashboard. Alle anderen Bereiche waren ausgeblendet.
Was muss ich einstellen, damit der Benutzer alle Bereiche sieht, aber eben nur lesend?

50

German - Deutsch / Einstellungen für schreibgeschützten Zugriff auf Weboberfläche

« on: February 17, 2022, 10:57:44 am »

Hallo,

Gibt es eine Empfehlung, welche Einstellungen für einen "Nur-Lesen"-Zugang zur Web-GUI notwendig sind?

51

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 16, 2022, 07:04:21 pm »

that's odd. any chance that the name of the checked host on ssllabs did not match the server name in the config?

No, I tested it with multiple hostnames and servers.
The hostname I tested was always the server where I changed the curves.

Maybe it plays a role that the server I had set as default and from which the curves were taken had a domain name as hostname and the servers where the curves were not taken were subdomains of it.

52

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 16, 2022, 09:01:27 am »

can't confirm. a change in any parameter in the settings of a specific server is immediately reflected in the ssllabs report.

I think I have been able to find out the cause.
I have set a server as "Default". TLS version and ECDH curves are always taken from this one. No matter what is set on other servers.
If I uncheck the "Default Server" the individual settings are active.

-dont bind to plain http at all (just leave "HTTP Listen Address" empty).
-(optionaly) add separate http server w/o hsts header (and listen :80 only) that redirects http to https

Thank you! That worked perfectly!

only asking devs for adding "headers-more" support to the package imho

But didn't Fabian mean the module would be ready to be compiled and usable?

53

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 15, 2022, 09:47:30 pm »

OK, it seems I was able to find the error with 0-RTT and fix it for me.

The settings for 0-RTT were correct so far. But the set ECDH curves became active only when I enabled them for all web services.
Only for one web service alone it did not work.
Is this a bug?


Now the remaining questions are if the nginx.conf could be restructured in a way that the HSTS policies are not transferred via http, and which parameters should be set so that the server name is not included in the header.

54

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 15, 2022, 04:40:16 pm »

yes, that's what I did.

Test Time: Tue, 15 Feb 2022 15:41:17 UTC

Right after the adjustments

@Fright
Can you send me your config, so I can test it with my web services?

55

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 15, 2022, 04:29:19 pm »

I don't think cache is here the problem.

I testet this with serveral tools and browsers. Even some that I had never used before.
The other adjustments, such as the change of the ciphers, were immediately recognized during the next test.

56

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 15, 2022, 02:31:43 pm »

OK, that's strange.
I have now set the ECDH curves to "X25519:secp521r1:secp384r1:prime256v1", saved the configuration and restarted the nginx service.
However, all test tools still show only "secp521r1:secp384r1" as used.
In the nginx.conf the changes were accepted.

I then changed the TLS ciphers for testing, saved again and restarted the service. This change was recognized by the test tools.
For testing I also deactivated TLSv1.2, so that only TLSv1.3 is active.
This was also applied in the nginx.conf after the change, but the test tools (tls.imirhil.fr, ssllabs.com, sslyze) still reported TLSv1.2 as active.

How can this come about?

57

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 15, 2022, 01:09:48 pm »

Might be worth checking other settings (TLS ver, ciphers list, ecdh curve)

• TLS Protocols: TLSv1.2, TLSv1.3
• TLS ciphers: ECDHE-PSK-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384
• ECDH curves: secp521r1:secp384r1

Is there anything wrong?

58

22.1 Legacy Series / Re: IPv6 working properly???

« on: February 15, 2022, 11:56:44 am »

After the upgrade, I basically did not notice any problems with IPv6 for the time being.
My provider has assigned me a fixed 56 prefix. The WAN interface is set to DHCP and the LAN interfaces to track interface with manual configuration.
DHCPv6 is active and works. Additionally, router advertisements (assisted mode) are enabled.
Since the changeover, I noticed that some clients irregularly lost their IPv6 address and the assigned IPv6 DNS server after some time.

I was able to fix the problem by setting the following settings:

• AdvDefaultLifetime: 9000
• AdvPreferredLifetime: 7200
• AdvRDNSSLifetime: 1800
• AdvDNSSLLifetime: 1800
• AdvRouteLifetime: 1800

59

Web Proxy Filtering and Caching / Re: Various suggestions for improvement of Nginx

« on: February 15, 2022, 11:47:06 am »

Thanks for your feedback

I don't see that it is forbidden by the RFC: https://datatracker.ietf.org/doc/html/rfc6797

At least, this is how point 7.2 could be understood:
https://datatracker.ietf.org/doc/html/rfc6797#section-7.2

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

First of all, the module is actually compiled in and usable.

How can I hide the server name with that module?
If I set "more_clear_headers Server;" in b205a06b-f3ea-4e6c-b68c-8a28f153f19b_post/*.conf, the Global Error Log says: "unknown directive "more_clear_headers" in /usr/local/etc/nginx/b205a06b-f3ea-4e6c-b68c-8a28f153f19b_post/settings.conf:5"

Regarding 0-RTT:
I have Zero-RTT enabled in the HTTP server settings.
the parameters "ssl_early_data on;" and "proxy_set_header Early-Data $ssl_early_data;" are also set in nginx.conf.
However, the feature still does not seem to be active.
At least that's what SSLlabs.com and sslyze says.

60

Web Proxy Filtering and Caching / Various suggestions for improvement of Nginx

« on: February 14, 2022, 08:01:15 pm »

Hello,

after setting up my web services via the nginx plugin as a reverse proxy, I examined them with various test tools.

Hardenzie.com states:
"Policy set on plaintext port: HSTS policies must not be transmitted over insecure channels."

I am aware that this does not cause any harm.
But restructuring nginx.conf could eliminate that:
https://codefaq.org/server/how-to-fix-warning-unnecessary-hsts-header-over-http-in-htstpreload-org/

Securityheaders.com states:
"server: This server header seems to advertise the software being run on the server but you can remove or change this value."

This could be changed via the add-on module "nginx-headers-more".
But this module would have to be compiled in:
https://serverfault.com/questions/214242/can-i-hide-all-server-os-info


Would it also be possible to implement HTTP/3, QUIC and CORS header support?