Ssl optimizations and advanced configuration #69
Conversation
bartoszbetka
force-pushed
the
ssl-optimizations-and-advenced-configuration
branch
4 times, most recently
from
22fbabe
to
305ed52
Compare
cameel
changed the title
bartoszbetka
force-pushed
the
ssl-optimizations-and-advenced-configuration
branch
from
305ed52
to
69196a3
Compare
|
The two |
bartoszbetka
force-pushed
the
ssl-optimizations-and-advenced-configuration
branch
from
69196a3
to
e07bff7
Compare
bartoszbetka
force-pushed
the
ssl-optimizations-and-advenced-configuration
branch
from
a3c7b93
to
126f212
Compare
| ssl_stapling_verify on; | ||
|
|
||
| # Enable HSTS | ||
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; |
There was a problem hiding this comment.
This max-age has a significant gotcha. Once we switch dev or any other cluster to HTTPS, switching back to HTTP will require clearing client's cache.
Please at least add some explanations:
# HSTS tells the client to only access the site over HTTPS. This is mostly relevant to browsers
# but other types clients may implement it too as long as they have some persistent storage.
# See https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
# Note that max-age here is 63072000 seconds (2 years) which means that once you start serving
# traffic over HTTPS, you won't be able to switch back to HTTP without clearing client cache.
There was a problem hiding this comment.
This may cause a problem when traffic with HTTP and HTTPS are allowed.
|
|
||
| # Enable server-side protection | ||
| ssl_prefer_server_ciphers on; | ||
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; |
There was a problem hiding this comment.
Please add some comments explaining why you chose those specific ciphers. Best if you can add a link to some authoritative recommendation.
There was a problem hiding this comment.
This generator from Mozilla can give you some good values: https://mozilla.github.io/server-side-tls/ssl-config-generator/
There was a problem hiding this comment.
There was a problem hiding this comment.
I use value from https://cipherli.st/
| ssl_certificate_key /etc/ssl/secrets/nginx-proxy-ssl.key; | ||
|
|
||
| # Add Diffie-Helman group | ||
| ssl_dhparam /etc/ssl/secrets/nginx-proxy-dhparam.pem; |
There was a problem hiding this comment.
How big is this file and how long does it take to generate it?
It would be best to generate it during container build.
There was a problem hiding this comment.
It's a small file which is generate fast. This solution requires additional script and causes generate new .pem file for new deployment.
There was a problem hiding this comment.
Are you sure we want to use it ?
There was a problem hiding this comment.
Why want to it? Ok, so I will do it.
There was a problem hiding this comment.
I checked, how much time need to generate this file and it's not deterministic and random on each execution. For generate 2048bit key, it's need sometimes 10s and sometimes 40s. The openssl inform that Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time. We still want this solution ?
kubernetes/create-config-maps.sh.j2
Outdated
| kubectl create secret generic nginx-storage-secrets \ | ||
| --from-file=nginx-storage-ssl.crt=concent-secrets/nginx-storage-ssl.crt \ | ||
| --from-file=nginx-storage-ssl.key=concent-secrets/nginx-storage-ssl.key \ | ||
| --from-file=nginx-storage-dhparam.pem=concent-secrets/nginx-storage-dhparam.pem |
There was a problem hiding this comment.
Is nginx-storage-dhparam.pem really a secret?
There was a problem hiding this comment.
It's not a secret, according to https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters
| ssl_stapling_verify on; | ||
|
|
||
| # Enable HSTS | ||
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; |
There was a problem hiding this comment.
This form does not follow the RFC. Here's an alternative:
https://gist.github.com/plentz/6737338#gistcomment-1299170
There was a problem hiding this comment.
Are you read my comment in issue about preload option ?
bartoszbetka
force-pushed
the
ssl-optimizations-and-advenced-configuration
branch
from
126f212
to
f5c0ff6
Compare
Resolves #56