SlideShare a Scribd company logo

NGINX + HTTPS 101: The basics & getting started

Nick Sullivan
Nick Sullivan

NGINX is a multi-faceted tool, and if you’re just getting your feet wet--or need a buffer--you’ll want to check this presentation out first. One popular use for NGINX is as a HTTPS reverse proxy--enabling services to support encrypted protocols that don’t normally do so. Why should you be an expert on this? Putting NGINX in front of HTTP-based websites and services allows them to be fully HTTPS compliant, taking advantage of NGINX’s state-of-the-art encryption technology. This session will start by introducing the basics of HTTPS and web encryption. Attendees will learn how to get a proper HTTPS certificate from a certificate authority (“CA”) for browser-facing services, and an internal CA for internal services. The session will also cover the ngx_http_ssl_module, and what it takes to configure it to the industry standard. This is your spark notes session for getting that A+ in security.

Technology
1 of 54
Download to read offline
NGINX + HTTPS 101 The Basics & Getting Started Sept 23, 2015 Nick Sullivan (@grittygrease)
#nginx #nginxconf NGINX + HTTPS 101 2 What is HTTPS? Protocol Versions Cipher Suites Configuring nginx Bonus: Configuring HSTS Backend HTTPS Double Bonus: OCSP Stapling Checking your configuration
What is HTTPS? 3
HTTPS = HTTP + Security • Security: SSL or TLS • Provides data encryption and server authentication • Negotiation of keys happens in the “handshake” 4
5
Why set up HTTPS? • User privacy • SEO bump • Put in front of HTTPS-incapable services • General good practice 6 😀 😯
What are the downsides? • Operational complexity • Extra latency (two round-trips for first connection) • CPU cost 7
What you need to set up HTTPS • A set of protocols you support • A set of ciphers you support in order of preference • A certificate and a private key signed by a trusted Certificate Authority 8
Protocol Versions 9
A bit of history • SSL v2.0 released in 1995 by Netscape • SSL v3.0 released in 1996 fixes major issues with v2 • TLS v1.0 released in 1999 by IETF: minor tweaks to SSLv3 • TLS v1.1 released in 2006 with minor tweaks • TLS v1.2 released in 2008 with improved hashes and AEAD mode 10
A bit of history • SSL v2.0 released in 1995 - Broken by design • SSL v3.0 released in 1996 - Broken by POODLE (Nov 2014) • TLS v1.0 released in 1999 - Weakened by BEAST (2011) and Lucky 13 (2013) • TLS v1.1 released in 2006 - Weakened by Lucky 13 (2013) and RC4 (2013, 2015) • TLS v1.2 released in 2008 - Only safe with AEAD mode ciphers 11
Client Compatibility for TLS 1.2 • Chrome >= 30 • Android >= 5.0 • Firefox >= 27 • Internet Explorer/Edge >= 11 • Safari Mac >= 7 • iOS >= 5 • Note: iOS 9 applications require TLS 1.2 support 12 ~75%
Client Compatibility for TLS 1.0 • Basically everything except Windows XP SP2 and earlier 13
Configuration options • High security, low compatibility ssl_protocols TLSv1.2; • Medium security, high compatibility ssl_protocols TLSv1 TLSv1.1 TLSv1.2; • Low security, maximum compatibility ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 14 Top Grade SSL Labs
Cipher Suites 15
Cipher Suites • Complicated string describing the type of crypto used • Defined by openssl (check your ciphers with $ openssl ciphers) Example: ECDHE-RSA-AES128-GCM-SHA256:
 ECDHE-ECDSA-AES128-GCM-SHA256:
 ECDHE-RSA-AES256-GCM-SHA384:
 ECDHE-ECDSA-AES256-GCM-SHA384:
 DHE-RSA-AES128-GCM-SHA256: 16
Cipher Suites 17 ECDHE-RSA-AES256-GCM-SHA384
 Key Exchange - Certificate Key - Transport Cipher - Integrity
Server Cipher Suites • Client lists supported cipher suites in order of preference • Server takes intersection of client list and server supported cipher list • Server selects preferred cipher of remaining 18
Cipher Suite Negotiation AES256-GCM-SHA384:
 ECDHE-RSA-AES128-GCM-SHA256:
 ECDHE-RSA-AES256-GCM-SHA384:
 
 ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA:
 ECDHE-RSA-AES128-SHA256:
 AES256-GCM-SHA384: 19 ECDHE-RSA-AES256-GCM-SHA384
 AES256-GCM-SHA384
 ECDHE-RSA-AES256-GCM-SHA384
Recommended Cipher Suites CloudFlare’s suggestions: github.com/cloudflare/sslconfig EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5 • Mozilla has their own suggestions: https://mozilla.github.io/server-side-tls/ssl-config-generator/ 20
Certificates 21
What is a certificate? • Organization name • Public key • Issuer name • Rights • Validity period • Hostnames • Digital signature by issuer 22
23
What is a trusted certificate? • When certificate is issued by a Certificate Authority (CA) that browsers trust 24
How do I get a certificate? • Create a key pair • A private key • A certificate signing request (contains your public key) • Get a CA to create a certificate from the CSR • Usually costs $$$ 25
How do create a CSR and private key? • Using CFSSL $ cfssl print-defaults csr > csr.json $ cfssl genkey csr.json | cfssljson -bare • Using OpenSSL $ openssl genrsa -out key.pem 2048 $ openssl req -new -sha256 -key key.pem -out key.csr 26
How to get a free certificate • StartSSL.com: follow the instructions, get a headache 27
Certificate chain • Need to include all certificates in trust
 chain up to the root • If CA did not provide, try `cfssl bundle` 28
Configuring nginx 29
NGINX configurations parameters • Basic features • ssl_certificate, ssl_certificate_key • ssl_protocols • ssl_ciphers 30
NGINX configurations parameters • Before you start: Find out the version of OpenSSL you are using • Recommend at least 1.0.1p $ openssl version OpenSSL 0.9.8zd 8 Jan 2015 31
server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; } 32 Certificate Chain Private key
• Session caching — faster connections from existing clients • ssl_session_timeout 1d; • ssl_session_cache shared:SSL:50m; • Session tickets — advanced version • Works with Chrome and Firefox Extra options 33
server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; } 34 Protocols Ciphers
• Prefer server cipher preference • ssl_prefer_server_ciphers on; Additional fields 35
Multiple domains, same certificate ssl_certificate multiSAN.crt; ssl_certificate_key multiSAN.key; server { listen 443 ssl; server_name www.example.com; ... } server { listen 443 ssl; server_name www.example.org; ... } 36
Backend HTTPS 37
• Encrypt to the server behind nginx • Need a list of trusted CAs Encryption on the backend 38
http { server { proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; } } 39 Protocols Ciphers Trusted CAs
• Internal CA • You can create your own certificates for the services behind nginx • Requires managing your own public key infrastructure • Public CA • Need certificate from publicly trusted CA • Root store already present on machine (e.g. Ubuntu: /etc/ssl/certs/ca-certificates.crt) Options for trusted CAs 40
Checking your configuration 41
ssllabs.com 42
cfssl.org/scan 43
Bonus: Configuring HSTS 44
• HTTP header cached by browser • Browser always attempts HTTPS • Maximum age defined in seconds • Preload list for Chrome and Firefox • Requires 6 month HSTS • Requires includeSubdomains What is HSTS? 45
• Prevent hijacking of HTTP Why? 46
• Prevents people from visiting HTTP version of site • If HTTPS config is broken (expired certificate), site is broken Risks 47
server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; } 48 Max-age: 6 months
Double Bonus: Configuring OCSP Stapling 49
• Certificates can not only expire, they can be revoked • OCSP (Online Certificate Status Protocol) can be queried to check status • Can slow down requests since it requires another connection • OCSP Stapling: server pre-fetches OSCP response • Saves a round-trip by the client What is OCSP Stapling? 50
How much faster? DNS (1334ms) TCP handshake (240ms) SSL handshake (376ms) Follow certificate chain (1011ms) DNS to CA (300ms) TCP to CA (407ms) OCSP to CA #1 (598ms) TCP to CA #2 (317ms) OCSP to CA #2 (444ms) Finish SSL handshake (1270ms) 51 ~30%
server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; } 52 Get this file from your CA
Questions? 53
NGINX + HTTPS 101 The Basics & Getting Started Nick Sullivan @grittygrease

Recommended

Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamNick Sullivan
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoNick Sullivan
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
 
White-box Cryptography -BayThreat 2013
White-box Cryptography -BayThreat 2013White-box Cryptography -BayThreat 2013
White-box Cryptography -BayThreat 2013Nick Sullivan
 

Recommended

Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamNick Sullivan
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoNick Sullivan
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
 
White-box Cryptography -BayThreat 2013
White-box Cryptography -BayThreat 2013White-box Cryptography -BayThreat 2013
White-box Cryptography -BayThreat 2013Nick Sullivan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 

Recently uploaded (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

NGINX + HTTPS 101: The basics & getting started

  • 1. NGINX + HTTPS 101 The Basics & Getting Started Sept 23, 2015 Nick Sullivan (@grittygrease)
  • 2. #nginx #nginxconf NGINX + HTTPS 101 2 What is HTTPS? Protocol Versions Cipher Suites Configuring nginx Bonus: Configuring HSTS Backend HTTPS Double Bonus: OCSP Stapling Checking your configuration
  • 4. HTTPS = HTTP + Security • Security: SSL or TLS • Provides data encryption and server authentication • Negotiation of keys happens in the “handshake” 4
  • 5. 5
  • 6. Why set up HTTPS? • User privacy • SEO bump • Put in front of HTTPS-incapable services • General good practice 6 😀 😯
  • 7. What are the downsides? • Operational complexity • Extra latency (two round-trips for first connection) • CPU cost 7
  • 8. What you need to set up HTTPS • A set of protocols you support • A set of ciphers you support in order of preference • A certificate and a private key signed by a trusted Certificate Authority 8
  • 10. A bit of history • SSL v2.0 released in 1995 by Netscape • SSL v3.0 released in 1996 fixes major issues with v2 • TLS v1.0 released in 1999 by IETF: minor tweaks to SSLv3 • TLS v1.1 released in 2006 with minor tweaks • TLS v1.2 released in 2008 with improved hashes and AEAD mode 10
  • 11. A bit of history • SSL v2.0 released in 1995 - Broken by design • SSL v3.0 released in 1996 - Broken by POODLE (Nov 2014) • TLS v1.0 released in 1999 - Weakened by BEAST (2011) and Lucky 13 (2013) • TLS v1.1 released in 2006 - Weakened by Lucky 13 (2013) and RC4 (2013, 2015) • TLS v1.2 released in 2008 - Only safe with AEAD mode ciphers 11
  • 12. Client Compatibility for TLS 1.2 • Chrome >= 30 • Android >= 5.0 • Firefox >= 27 • Internet Explorer/Edge >= 11 • Safari Mac >= 7 • iOS >= 5 • Note: iOS 9 applications require TLS 1.2 support 12 ~75%
  • 13. Client Compatibility for TLS 1.0 • Basically everything except Windows XP SP2 and earlier 13
  • 14. Configuration options • High security, low compatibility ssl_protocols TLSv1.2; • Medium security, high compatibility ssl_protocols TLSv1 TLSv1.1 TLSv1.2; • Low security, maximum compatibility ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 14 Top Grade SSL Labs
  • 16. Cipher Suites • Complicated string describing the type of crypto used • Defined by openssl (check your ciphers with $ openssl ciphers) Example: ECDHE-RSA-AES128-GCM-SHA256:
 ECDHE-ECDSA-AES128-GCM-SHA256:
 ECDHE-RSA-AES256-GCM-SHA384:
 ECDHE-ECDSA-AES256-GCM-SHA384:
 DHE-RSA-AES128-GCM-SHA256: 16
  • 17. Cipher Suites 17 ECDHE-RSA-AES256-GCM-SHA384
 Key Exchange - Certificate Key - Transport Cipher - Integrity
  • 18. Server Cipher Suites • Client lists supported cipher suites in order of preference • Server takes intersection of client list and server supported cipher list • Server selects preferred cipher of remaining 18
  • 20. Recommended Cipher Suites CloudFlare’s suggestions: github.com/cloudflare/sslconfig EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5 • Mozilla has their own suggestions: https://mozilla.github.io/server-side-tls/ssl-config-generator/ 20
  • 22. What is a certificate? • Organization name • Public key • Issuer name • Rights • Validity period • Hostnames • Digital signature by issuer 22
  • 23. 23
  • 24. What is a trusted certificate? • When certificate is issued by a Certificate Authority (CA) that browsers trust 24
  • 25. How do I get a certificate? • Create a key pair • A private key • A certificate signing request (contains your public key) • Get a CA to create a certificate from the CSR • Usually costs $$$ 25
  • 26. How do create a CSR and private key? • Using CFSSL $ cfssl print-defaults csr > csr.json $ cfssl genkey csr.json | cfssljson -bare • Using OpenSSL $ openssl genrsa -out key.pem 2048 $ openssl req -new -sha256 -key key.pem -out key.csr 26
  • 27. How to get a free certificate • StartSSL.com: follow the instructions, get a headache 27
  • 28. Certificate chain • Need to include all certificates in trust
 chain up to the root • If CA did not provide, try `cfssl bundle` 28
  • 30. NGINX configurations parameters • Basic features • ssl_certificate, ssl_certificate_key • ssl_protocols • ssl_ciphers 30
  • 31. NGINX configurations parameters • Before you start: Find out the version of OpenSSL you are using • Recommend at least 1.0.1p $ openssl version OpenSSL 0.9.8zd 8 Jan 2015 31
  • 32. server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; } 32 Certificate Chain Private key
  • 33. • Session caching — faster connections from existing clients • ssl_session_timeout 1d; • ssl_session_cache shared:SSL:50m; • Session tickets — advanced version • Works with Chrome and Firefox Extra options 33
  • 34. server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; } 34 Protocols Ciphers
  • 35. • Prefer server cipher preference • ssl_prefer_server_ciphers on; Additional fields 35
  • 36. Multiple domains, same certificate ssl_certificate multiSAN.crt; ssl_certificate_key multiSAN.key; server { listen 443 ssl; server_name www.example.com; ... } server { listen 443 ssl; server_name www.example.org; ... } 36
  • 38. • Encrypt to the server behind nginx • Need a list of trusted CAs Encryption on the backend 38
  • 39. http { server { proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; } } 39 Protocols Ciphers Trusted CAs
  • 40. • Internal CA • You can create your own certificates for the services behind nginx • Requires managing your own public key infrastructure • Public CA • Need certificate from publicly trusted CA • Root store already present on machine (e.g. Ubuntu: /etc/ssl/certs/ca-certificates.crt) Options for trusted CAs 40
  • 45. • HTTP header cached by browser • Browser always attempts HTTPS • Maximum age defined in seconds • Preload list for Chrome and Firefox • Requires 6 month HSTS • Requires includeSubdomains What is HSTS? 45
  • 46. • Prevent hijacking of HTTP Why? 46
  • 47. • Prevents people from visiting HTTP version of site • If HTTPS config is broken (expired certificate), site is broken Risks 47
  • 48. server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; } 48 Max-age: 6 months
  • 49. Double Bonus: Configuring OCSP Stapling 49
  • 50. • Certificates can not only expire, they can be revoked • OCSP (Online Certificate Status Protocol) can be queried to check status • Can slow down requests since it requires another connection • OCSP Stapling: server pre-fetches OSCP response • Saves a round-trip by the client What is OCSP Stapling? 50
  • 51. How much faster? DNS (1334ms) TCP handshake (240ms) SSL handshake (376ms) Follow certificate chain (1011ms) DNS to CA (300ms) TCP to CA (407ms) OCSP to CA #1 (598ms) TCP to CA #2 (317ms) OCSP to CA #2 (444ms) Finish SSL handshake (1270ms) 51 ~30%
  • 52. server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; } 52 Get this file from your CA
  • 54. NGINX + HTTPS 101 The Basics & Getting Started Nick Sullivan @grittygrease