Tengine/Nginx SSL+SPDY Setup

OK, you've got your SSL certificate and you have tengine or nginx setup, but you need it secure. After all, you've heard of all the recent DH attacks, BEAST, CRIME, FREAK, Heartbleed and others, right? Is your system already secure? Test it! Check out The SSL Labs Test Site. I'm getting an A rating! The following assumes Tengine, but Nginx is exactly the same, just s/tengine/nginx/g

Need a certificate? OK - I highly recommend StartSSL. It's FREE! These guys will step you through the process by following the instructions on their site. If you have problems, the tech support via email is instantaneous and incredibly professional. My cert was the free variety, but if I ever upgrade, I will go to them because the support (to a non-paying customer no less) was so good.

Step 1 ... Make a file /etc/tengine/ssl.conf (or equiv for nginx):
#- Listen on SSL ports, IPv4 and v6 listen [::]:443 ssl spdy; listen 443 ssl spdy; #- Support current SSL standards and options only ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; #- And some security related headers add_header Strict-Transport-Security "max-age=63072000; preload"; add_header X-Content-Type-Options nosniff;

NOTE: If you have an SSL certificate that includes subdomains ("*.domain.com" or something), then add includeSubDomains; inside the quotes of the Strict-Transport-Security header right before the preload.

Step 2 ... Go into your sites-available and in the server{} configuration for the site you want to include SSL, add these lines:

include /etc/tengine/ssl.conf; ssl_dhparam /etc/ssl/tengine/dhparam4096; ssl_trusted_certificate /etc/ssl/tengine/startssl_trust_chain.crt; ssl_certificate /etc/ssl/tengine/ssl-unified.crt; ssl_certificate_key /etc/ssl/tengine/ssl.key;

Step 3 ... there are 4 files here for SSL in addition to the one we just included. Let's look at where they come from. First, you should have a certificate file (ssl.crt in the following), and a key for that file (private_ssl.key). The CRT begins with "-----BEGIN CERTIFICATE-----", but you will need to view this in vi, not less (less will try to decode many of these files). Your private key is password protected (the key is "-----BEGIN RSA PRIVATE KEY-----" followed by a line that says ENCRYPTED). Since you probably don't want to issue a password every time you start your server, let's fix that first.

openssl rsa -in private_ssl.key -out /etc/ssl/tengine/ssl.key

Easy enough? And we have one of our lines done. 3 to go!

Step 4 ... The next is to create a chain of certificates back to the root. For StartSSL, you download their cert:

wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem

Then make the file you need with your cert and theirs. Here's your next 2 files!

cat ssl.crt sub.class1.server.sha2.ca.pem > /etc/ssl/tengine/ssl-unified.crt cp sub.class1.server.sha2.ca.pem /etc/ssl/tengine/startssl_trust_chain.crt

Now, the final command for the final file:

openssl dhparam -out /etc/ssl/tengine/dhparam4096 4096

4096 might be overkill, but 1024 is the minimum and you might as well go all out just in case 1024 gets broken next month!

Be sure all these files are secure!

chmod 0600 /etc/ssl/tengine/*

In future articles, I'll cover gzip compression and joomla configuration.

Note: I've rewritten this information into a more formal format for the Funtoo WebServer_SSL HowTo

Details
Category: Stupid Admin Tricks