Siebrand has uploaded a new change for review. https://gerrit.wikimedia.org/r/104218
Change subject: Update nginx configuration for improved security and SSL performance ...................................................................... Update nginx configuration for improved security and SSL performance Change-Id: Iaae263230e251757b892709c90774f4d9257078f --- M puppet/modules/nginx/files/nginx.conf M puppet/modules/nginx/files/translatewiki.net 2 files changed, 53 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/translatewiki refs/changes/18/104218/1 diff --git a/puppet/modules/nginx/files/nginx.conf b/puppet/modules/nginx/files/nginx.conf index 713d1ff..318a5a0 100644 --- a/puppet/modules/nginx/files/nginx.conf +++ b/puppet/modules/nginx/files/nginx.conf @@ -4,6 +4,36 @@ worker_processes 1; pid /var/run/nginx.pid; +# Some settings thanks to https://gist.github.com/plentz/6737338 +# Blog post: http://tautt.com/best-nginx-configuration-for-security/ + +#don't send the nginx version number in error pages and Server header +server_tokens off; + +# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security +# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping +add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + +# config to don't allow the browser to render the page inside an frame or iframe +# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking +# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri +# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options +add_header X-Frame-Options SAMEORIGIN; + +# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, +# to disable content-type sniffing on some browsers. +# https://www.owasp.org/index.php/List_of_useful_HTTP_headers +# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx +# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx +# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 +add_header X-Content-Type-Options nosniff; + +# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. +# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for +# this particular website if it was disabled by the user. +# https://www.owasp.org/index.php/List_of_useful_HTTP_headers +add_header X-XSS-Protection "1; mode=block"; + events { worker_connections 2048; } diff --git a/puppet/modules/nginx/files/translatewiki.net b/puppet/modules/nginx/files/translatewiki.net index d291e1e..45f3b73 100644 --- a/puppet/modules/nginx/files/translatewiki.net +++ b/puppet/modules/nginx/files/translatewiki.net @@ -8,9 +8,30 @@ ssl_certificate /etc/ssl/private/translatewiki.net.pem; ssl_certificate_key /etc/ssl/private/translatewiki.net.key; - ssl_ciphers RC4:HIGH:!aNULL:!MD5; + + # enable session resumption to improve https performance + # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + + # Diffie-Hellman parameter for DHE ciphersuites, 2048 bits + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + ssl_session_timeout 5m; + + # enables server-side protection from BEAST attacks + # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:1m; + # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + # ciphers chosen for forward secrecy and compatibility + # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'; + + # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) + # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ + ssl_stapling on; + ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt; + spdy_headers_comp 7; server_name translatewiki.net dev.translatewiki.net sandbox.translatewiki.net; -- To view, visit https://gerrit.wikimedia.org/r/104218 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iaae263230e251757b892709c90774f4d9257078f Gerrit-PatchSet: 1 Gerrit-Project: translatewiki Gerrit-Branch: master Gerrit-Owner: Siebrand <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
