Hi All I have been looking at the default security setup from the project template file in Mezzanine. This has come out of my investigation of using letsencrypt <https://letsencrypt.org/>certificates and switch whole website over to https everywhere <https://www.eff.org/https-everywhere%20>, by default, which BTW I have working. If any body is interested in that attempt I will detail it in another post. This post is to capture some bug fixes and improvements on the base system that I came across during that effort.
I love the default project setup and fabric deploy, however if I have a complaint it is how does one track fixes after you've initially created that first default project. I don't have any good solution myself, I'd be curious to hear if any body has a good technique. However I found two bugs/fixes that need to go into the project/nginx.conf file that any existing website using mezzanine should verify is actually in their deployed website on the server. I have submitted these changes into the git repository and any future projects created with the default scripts should have these fixes from day one. However existing websites may need to be hand edited, I feel what is detailed below will be enough for any body to to that. I have been using this website to do a security review of my default file: https://www.ssllabs.com/ssltest/analyze.html And it flagged the following warnings with the default project *Remove SSL3 support from nginx.conf.template* #1525 <https://github.com/stephenmcd/mezzanine/issues/1525> It flagged that SSL3 was a major weakness due to the POODLE attack: https://blog.qualys.com/ssllabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack And recommends disabling SSL3 in future installs. This can be achieved by adding this line to nginx.conf (and also the template): %(ssl_disabled)s ssl_protocols TLSv1.2 TLSv1.1 TLSv1; *Default settings are susceptible to weak DH/logjam attack on SSL* #1528 <https://github.com/stephenmcd/mezzanine/issues/1528> I also got this warning: This server supports weak Diffie-Hellman (DH) key exchange parameters This is as a result of weak keys being used for the DH key exchange and is what is responsible for the Logjam attack: https://weakdh.org/ https://en.wikipedia.org/wiki/Logjam_(computer_security) The details of the fix to a server are captured here: https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/ For me I added this extra line to the nginx.conf file (and the tmeplate file): %(ssl_disabled)s ssl_dhparam /etc/ssl/private/dhparams.pem; And added this extra task to the fabfile, and called the task out independently of install or deploy. This piece of code is to be merged into the location where the keys for the server are generated. The final upload_template_and_reload can probably be removed, it was just required as a function the task, dh, being on its own. @task @log_call def dh(): ssl_private = "/etc/ssl/private" if not exists(ssl_private): sudo("mkdir -p %s" % ssl_private) sudo("chmod 710 %s" % ssl_private) dh_file = ssl_private + "/dhparams.pem" if not exists(dh_file, use_sudo=True): sudo("openssl dhparam -out %s 2048" % dh_file) sudo("chmod 600 %s" % dh_file) for name in get_templates(): upload_template_and_reload(name) This is the temporary fix required to help get exiting websites up to date and playing well. -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
