Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
NGINX Reverse Proxy Ciphers
« previous
next »
Print
Pages: [
1
]
Author
Topic: NGINX Reverse Proxy Ciphers (Read 4526 times)
utahbmxer
Newbie
Posts: 42
Karma: 0
NGINX Reverse Proxy Ciphers
«
on:
May 08, 2020, 06:33:33 pm »
How can we change the ssl-ciphers that get generated in the nginx.conf file? I've poked around and don't see any obvious place. Are these hard coded, do they use the system ones from System: Settings: Administration ??
TIA
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: NGINX Reverse Proxy Ciphers
«
Reply #1 on:
May 08, 2020, 08:33:38 pm »
They are hardcoded to match mostly the Mozilla secure recommendations (I only added camellia as an alternative to AES).
Logged
astuckey
Newbie
Posts: 31
Karma: 1
Re: NGINX Reverse Proxy Ciphers
«
Reply #2 on:
September 02, 2020, 06:16:22 am »
Hmm interesting. Even if I edit the /usr/local/etc/nginx.conf file to remove a few ciphers, they are still present when scanning. I have a requirement to remove the weak ciphers identified by SSLLabs, strange that this wouldn't be an option within the plugin, as ciphers are cracked frequently, and certified organisations have to update the cipher list within a short time.
Logged
astuckey
Newbie
Posts: 31
Karma: 1
Re: NGINX Reverse Proxy Ciphers
«
Reply #3 on:
September 02, 2020, 06:41:35 am »
Looks like the ciphers can be influenced by editing the http.conf / webgui.conf / streams.conf under /usr/local/opnsense/service/templates/OPNsense/Nginx.
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: NGINX Reverse Proxy Ciphers
«
Reply #4 on:
September 02, 2020, 08:00:34 pm »
Can you mention what needs to be removed? I can also copy the Mozilla recommend ciphers again.
Logged
astuckey
Newbie
Posts: 31
Karma: 1
Re: NGINX Reverse Proxy Ciphers
«
Reply #5 on:
September 03, 2020, 04:01:45 am »
I removed the following three ciphers which are considered weak by SSLLabs (near the very end of the ciper list):
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CAMELLIA256-SHA384
ECDHE-RSA-AES128-SHA256
(effectively due to RSA being involved I guess).
A lookup table between openssl and IANA ciphers:
https://testssl.sh/openssl-iana.mapping.html
Logged
astuckey
Newbie
Posts: 31
Karma: 1
Re: NGINX Reverse Proxy Ciphers
«
Reply #6 on:
September 21, 2020, 09:54:03 am »
My colleage @seandmccarthy has submitted a patch against 20.7 to provide a similar cipher list drop down menu as to the web configuration settings.
Take a look at patch:
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
NGINX Reverse Proxy Ciphers