Nền tảng đa phương tiện game m88vin hàng đầu việt nam

You are not logged in.

#1 2020-08-23 22:59:20

From: Switzerland, Rossa
Registered: 2020-08-19
Posts: 6

You websites should also use SSL/TLS encryption

… on Ubuntu 18.04 or 20.04 In January 2020, SSL Labs started to downgrade ratings for websites still using TLS 1.0 and TLS 1.1 Protocols.

In this tutorial we will:  Disable TLSv1.0 and TLSv1.1 and enable TLSv1.3

Enable HTTP/2 if it still isn’t, Improve Nginx security.
These changes should not affect servers using Let’s Encrypt / Certbot.
Please BACKUP your server / websites now.
Disable TLS v1.0 and TLS v1.1, .

Enable TLS v1.3 Should you really disable TLS v1.0 and TLS v1.1

Disabling TLS 1.1 and 1.1 and improving cipher strength will cause problems for a small percentage of your audience: those using deprecated browsers / OS versions.

On this example I disabled TLSv1 & v1.1 and removed weak ciphers on a server

resulting in several audience “losses”:  As of November 29, 2019, most of the biggest Websites (Wikipedia, Google, Facebook) still support TLSv1.0 and TLSv1.1 as well as weaker cipher suites – maybe they have good reasons to do so.

Twitter has already removed TLS 1.0 and 1.1 support
If I disable TLS v1.0 and TLS v1.1

should I enable TLS v1.3.
Yes, .

You should definitely enable TLS v1.3 – even if you keep TLS 1.0 / 1.1
TLS 1.3 is faster than version 1.2

and it is already supported by most mainstream browsers (screenshot taken on November 29, 2019):  Use the following link to check the current browser support of TLS 1.3 on “Can I use”: Can I use TLS 1.3.
Disable TLS 1.0 / 1.1 and enable TLS 1.3 We are going to edit at least two different configuration files:  /etc/nginx/nginx.conf /etc/nginx/sites-available/example.com (or /default)  If you use Certbot / Let’s Encrypt, we may also edit this third configuration file:  /etc/letsencrypt/options-ssl-nginx.conf  Step 1: edit nginx.conf First, backup the nginx.conf configuration file: sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.backup-tls Then edit this configuration file, for example with Nano: sudo nano /etc/nginx/nginx.conf Look for the following line within a http { } block.
This line may (or may not) be commented after a hash as follows: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, .

Ref: POODLE Simply remove TLSv1 TLSv1.1 from the line

Add TLSv1.3, the line now should look like this: ssl_protocols TLSv1.2 TLSv1.3; Save the file by typing Ctrl + O, then ⏎ Enter and finally Ctrl + X to exit.
Check if the Nginx configuration is valid: nginx -t Reload Nginx: sudo service nginx reload As a last step.

Check if TLS 1.0 and 1.1 are effectively disabled on your host

for example using the SSL Labs server testing service.
Step 1 may already be sufficient in some configurations.

What if TLS 1.0 and 1.1 are still NOT disabled

Go on with step 2.
Step 2: edit the server block configuration file Old SSL protocols may still be active in the server block configuration.
Find your server configuration file: cd /etc/nginx/sites-available/ ls -l Edit the server block configuration, for example: sudo nano /etc/nginx/sites-available/default OR sudo nano /etc/nginx/sites-available/example.com Again, look for the following line: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Remove the protocols marked in red, add TLSv1.3 to get the following line: ssl_protocols TLSv1.2 TLSv1.3; Save the file and exit nano ( Ctrl + O , ⏎ Enter , Ctrl + X ), test the configuration, reload Nginx, and test your Website.
nginx -t sudo service nginx reload What if you can’t find the ssl_protocols line in this file.
Go on with step 3.
Step 3: edit options-ssl-nginx.conf If you use Certbot to generate or renew Let’s Encrypt certificates, you probably won’t find the ssl_protocols line, but the following “include” command: include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot Exit nano without saving ( Ctrl + X ) and edit the Let’s Encrypt shared SSL settings: sudo nano /etc/letsencrypt/options-ssl-nginx.conf This configuration file is short: # This file contains important security parameters.
If you modify this file # manually, Certbot will be unable to automatically provide future security # updates.
Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating # this file.
ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 1440m;  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on;  ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; Again, remove TLSv1 and TLSv1.1 in the following line and add TLSv1.3: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; The line should look like this: ssl_protocols TLSv1.2 TLSv1.3; Test the configuration, reload Nginx and test your Website.
nginx -t sudo service nginx reload Did these changes affect Certbot / Let’s Encrypt certifications renewals.
Check if renewal works using: sudo certbot renew --dry-run However, this check may be insufficient in our case.
Please BACKUP your website before forcing a cert renewal: certbot renew --force-renewal In my experience, .

There were no problems with Certbot after making TLS version changes

Enable HTTP/2 in Nginx This part is really easy.
First check your Nginx version: nginx -v To run HTTP/2, you must use Nginx version 1.9.5 or later – which should be no problem on Ubuntu 18.04 and later releases.
You websites should also use SSL/TLS encryption.
Edit the server block configuration, for example: sudo nano /etc/nginx/sites-available/default OR sudo nano /etc/nginx/sites-available/example.com Look for the following lines within the server { } block: # SSL configuration listen 443 ssl default_server; listen [::]:443 ssl default_server;  If you use Certbot, these lines will probably be at the end of the file and look like this: listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot  Simply add http2 after 443 ssl on both lines.
In the second example (Certbot), it should now like like this: listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot listen 443 ssl http2; # managed by Certbot  Save the file and exit nano ( Ctrl + O , ⏎ Enter , Ctrl + X ), test the Nginx configuration and reload Nginx: nginx -t sudo service nginx reload Test if HTTP/2 is active To test if HTTP/2 has been successfully enabled, you for example use KeyCDN’s (free) online tool: KeyCDN HTTP/2 Test Tool By the way, HTTP/3 is coming soon: it is currently being implemented in Nginx 1.17 and making its way to Chrome, Firefox and Cloudflare.
Improve Nginx security This part of the tutorial assumes you use Let’s Encrypt with Certbot.
Edit the Let’s Encrypt shared SSL settings (options-ssl-nginx.conf) Open the Let’s Encrypt shared SSL settings file: sudo nano /etc/letsencrypt/options-ssl-nginx.conf Improve SSL session cache, disable SSL session tickets SSL shared session cache is already active in the default Certbot configuration.
Modify the SSL session cache to increase cache and reduce timeout: ssl_session_cache shared:le_nginx_SSL:40m; # holds approx 40 x 4000 sessions ssl_session_timeout 2h; ssl_session_tickets off; Use a stronger cipher suite Replace the default cipher suite in the Let’s Encrypt shared SSL settings.
Even the “Old” cipher suite in Mozilla’s SSL Configuration Generator is stronger than Let’s Encrypt default cipher list.
Mozilla’s “Intermediate” list for TLS v1.2 could be a good choice: ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; 3.2.
Edit the server block configuration Edit the server block configuration, for example: sudo nano /etc/nginx/sites-available/default OR sudo nano /etc/nginx/sites-available/example.com (Give up) OCSP stapling Update.
OCSP stapling seems to be useless: SSL certificate revocation and how it is broken in practice Mozilla’s Web Security Cheat Sheet doesn’t even mention OCSP stapling anymore: Web Security Cheat Sheet Websites like Twitter, Facebook and Google don’t use OCSP stapling (but Wikipedia does).
If you still want to use OCSP stapling, edit the server block configuration, for example: sudo nano /etc/nginx/sites-available/example.com Adapt and add the following lines: # OCSP stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; HTTP Strict Transport Security (HSTS) Inside the server {} block, add the following lines: # HSTS (63072000 seconds = 2 years) add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always; or for one year: # HSTS (31536000 seconds = 1 year) add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;" always; Be careful with HSTS preloading.
“Be aware that once you set the STS header or submit your domains to the HSTS preload list, it is impossible to remove it.
It’s a one‑way decision to make your domains available over HTTPS.” Read more at:  HTTP Strict Transport Security (HSTS) and NGINX HSTS Preload list website  Activating HSTS preloading should be considered thoroughly.
In this guide we chose not to use HSTS preloading.
X-Content-Type-Options and X-Frame-Options Add the following lines to the server {} block: add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; Useful SSL resources:  Mozilla’s SSL Configuration Generator: a fantastic tool to generate Nginx (and Apache) SSL configurations.
Follow this link for an example with Nginx Stable 1.16, .

OpenSSL 1.1.1 and only TLSv1.2 and TLSv1.3

Qualys SSL Labs / SSL Server Test Mozilla’s Web Security Cheat Sheet  By Johannes Eva, November 2019 – June 2020 The post How to remove TLSv1.0 / 1.1 and enable TLS 1.3 in Nginx … appeared first on libre-software.net.

my site fb88


Board footer

Powered by FluxBB