Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardening of nginx default setup #28

Open
gannebamm opened this issue Oct 20, 2023 · 1 comment
Open

Hardening of nginx default setup #28

gannebamm opened this issue Oct 20, 2023 · 1 comment
Assignees
@gannebamm
Labels
enhancement New feature or request
Milestone
4.3.0

Comments

@gannebamm
Copy link

The current (https://github.com/GeoNode/geonode-docker/blob/8f71ab7404e4384333f6c00b7543b6b2b3aff9bb/docker/nginx/nginx.https.available.conf.envsubst) nginx https conf file is a good start but lacks higher security standards.

This leads to subpar ratings in services like ssllabs. See https://www.ssllabs.com/ssltest/analyze.html?d=stable.demo.geonode.org

With some tweaks, the service can get an 'A' rating. I would propose the following changes:

diff --git a/docker/nginx/nginx.https.available.conf.envsubst b/docker/nginx/nginx.https.available.conf.envsubst
index b9baaf8aa501c52773d4a1cd7cb5fba8173c4713..f2da30df31b8d45c863d5072121148aa830ec7f3 100644
--- a/docker/nginx/nginx.https.available.conf.envsubst
+++ b/docker/nginx/nginx.https.available.conf.envsubst
@@ -2,19 +2,23 @@
 # not to be mistaken for nginx variables (also starting with $, but usually lowercase)
 
 # This file is to be included in the main nginx.conf configuration if HTTPS_HOST is set
-ssl_session_cache   shared:SSL:10m;
-ssl_session_timeout 10m;
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
 
 # this is the actual HTTPS host
 server {
     listen              $HTTPS_PORT ssl;
     server_name         $HTTPS_HOST;
+    server_tokens off;
+    add_header Strict-Transport-Security "max-age=63072000" always;
     keepalive_timeout   70;
 
     ssl_certificate     /certificate_symlink/fullchain.pem;
     ssl_certificate_key /certificate_symlink/privkey.pem;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_protocols       TLSv1.2;
+    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_stapling on;
+    ssl_stapling_verify on;
 
     include sites-enabled/*.conf;
 }
@@ -23,6 +27,7 @@ server {
 server {
     listen 80;
     server_name $HTTPS_HOST $HTTP_HOST; # TODO : once geoserver supports relative urls, we should allow access though both HTTP and HTTPS at the same time and hence remove HTTP_HOST from this line
+    server_tokens off;
     
     # Except for let's encrypt challenge
     location /.well-known {
@gannebamm gannebamm added the enhancement New feature or request label Oct 20, 2023
@gannebamm gannebamm self-assigned this Oct 20, 2023
@giohappy
Copy link
Contributor

@gannebamm nothing against your changes but from a test I did a few minutes ago I received A rating from sslabs

image

@giohappy giohappy linked a pull request Apr 4, 2024 that will close this issue
[Fixes #37] nginx uses hardcoded mount positions #39
Merged
@giohappy giohappy added this to the 4.3.0 milestone Apr 4, 2024
@etj etj removed a link to a pull request Apr 4, 2024
[Fixes #37] nginx uses hardcoded mount positions #39
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gannebamm gannebamm

Labels
enhancement New feature or request
Projects
None yet
Milestone
4.3.0
Development

No branches or pull requests
2 participants
@giohappy @gannebamm