Various suggestions for improvement of Nginx

Started by psychofaktory, February 14, 2022, 08:01:15 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
February 16, 2022, 09:01:27 AM #15
Quote from: Fright on February 16, 2022, 06:36:15 AM
can't confirm. a change in any parameter in the settings of a specific server is immediately reflected in the ssllabs report.
I think I have been able to find out the cause.
I have set a server as "Default". TLS version and ECDH curves are always taken from this one. No matter what is set on other servers.
If I uncheck the "Default Server" the individual settings are active.

Quote from: Fright on February 16, 2022, 06:36:15 AM
-dont bind to plain http at all (just leave "HTTP Listen Address" empty).
-(optionaly) add separate http server w/o hsts header (and listen :80 only) that redirects http to https
Thank you! That worked perfectly!

Quote from: Fright on February 16, 2022, 06:36:15 AM
only asking devs for adding "headers-more" support to the package imho
But didn't Fabian mean the module would be ready to be compiled and usable?
February 16, 2022, 09:35:01 AM #16
QuoteTLS version and ECDH curves are always taken from this one.
that's odd. any chance that the name of the checked host on ssllabs did not match the server name in the config? (and therefore the default site used by nginx)
will try to test this
QuoteThank you! That worked perfectly!
cool! )
QuoteBut didn't Fabian mean the module would be ready to be compiled and usable?
let's hope that @fabian will comment, but I did not notice it as a module or a dynamic module (
February 16, 2022, 07:04:21 PM #17
Quote from: Fright on February 16, 2022, 09:35:01 AM
that's odd. any chance that the name of the checked host on ssllabs did not match the server name in the config?
No, I tested it with multiple hostnames and servers.
The hostname I tested was always the server where I changed the curves.

Maybe it plays a role that the server I had set as default and from which the curves were taken had a domain name as hostname and the servers where the curves were not taken were subdomains of it.
February 17, 2022, 06:22:38 PM #18
@psychofaktory
sorry for delay
QuoteTLS version and ECDH curves are always taken from this one
thanks for raising this question. did not pay attention before (use uniform parameters for published services)

it seems that everything is as you noticed. and an explanation for this - OpenSSL library.
https://mailman.nginx.org/pipermail/nginx/2014-November/045738.html
https://trac.nginx.org/nginx/ticket/676

so the only option imho is to make the server with the least restrictive settings the default server, and further restrict TLS params with the "ssl_ciphers" directive on individual servers (worked for me on test vm)
February 17, 2022, 10:59:20 PM #19
Looks like it is missing:
https://github.com/opnsense/tools/blob/master/config/22.1/make.conf#L99

Should contain this value:
HEADERS_MORE
February 18, 2022, 07:45:44 AM #20
@fabian
like a charm, thanks!
hope @franco doesn't mind adding this
will try to fr
February 18, 2022, 08:14:19 AM #21
Sure, why not.


Cheers,
Franco
February 18, 2022, 08:23:43 AM #22
yippee!
February 18, 2022, 10:55:42 AM #23
You guys make me happy  ;D
Print
Go Up Pages 1 2
User actions