Various suggestions for improvement of Nginx

[psychofaktory]

can't confirm. a change in any parameter in the settings of a specific server is immediately reflected in the ssllabs report.

I think I have been able to find out the cause.
I have set a server as "Default". TLS version and ECDH curves are always taken from this one. No matter what is set on other servers.
If I uncheck the "Default Server" the individual settings are active.

-dont bind to plain http at all (just leave "HTTP Listen Address" empty).
-(optionaly) add separate http server w/o hsts header (and listen :80 only) that redirects http to https

Thank you! That worked perfectly!

only asking devs for adding "headers-more" support to the package imho

But didn't Fabian mean the module would be ready to be compiled and usable?

[Fright]

TLS version and ECDH curves are always taken from this one.

that's odd. any chance that the name of the checked host on ssllabs did not match the server name in the config? (and therefore the default site used by nginx)
will try to test this

Thank you! That worked perfectly!

cool! )

But didn't Fabian mean the module would be ready to be compiled and usable?

let's hope that @fabian will comment, but I did not notice it as a module or a dynamic module (

[psychofaktory]

that's odd. any chance that the name of the checked host on ssllabs did not match the server name in the config?

No, I tested it with multiple hostnames and servers.
The hostname I tested was always the server where I changed the curves.

Maybe it plays a role that the server I had set as default and from which the curves were taken had a domain name as hostname and the servers where the curves were not taken were subdomains of it.

[Fright]

@psychofaktory
sorry for delay

TLS version and ECDH curves are always taken from this one

thanks for raising this question. did not pay attention before (use uniform parameters for published services)

it seems that everything is as you noticed. and an explanation for this - OpenSSL library.
https://mailman.nginx.org/pipermail/nginx/2014-November/045738.html
https://trac.nginx.org/nginx/ticket/676

so the only option imho is to make the server with the least restrictive settings the default server, and further restrict TLS params with the "ssl_ciphers" directive on individual servers (worked for me on test vm)

[fabian]

Looks like it is missing:
https://github.com/opnsense/tools/blob/master/config/22.1/make.conf#L99

Should contain this value:
HEADERS_MORE

[Fright]

@fabian
like a charm, thanks!
hope @franco doesn't mind adding this
will try to fr

[franco]

Sure, why not.


Cheers,
Franco

[Fright]

yippee!

[psychofaktory]

You guys make me happy