Nginx#
How To Build Nginx on Ubuntu 12.04#
1#!/usr/bin/env bash
2set -x
3
4export NGINX_VERSION=1.2.1
5export PREFIX=/opt/nginx
6
7curl -O http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz || exit 1
8git clone https://github.com/yaoweibin/nginx_tcp_proxy_module.git
9tar -xvzf nginx-$NGINX_VERSION.tar.gz
10cd nginx-$NGINX_VERSION
11patch -p1 < ../nginx_tcp_proxy_module/tcp.patch
12#./configure --add-module=../nginx_tcp_proxy_module/
13./configure --prefix=$PREFIX --user=nginx --group=nginx --with-http_ssl_module --with-http_geoip_module --with-http_flv_module --add-module=../nginx_tcp_proxy_module/
14sudo make && make install
Installing StartCOM SSL Certificates#
http://blurringexistence.net/index.php?url=archives/5-nginx-and-StartSSL.html
Get all relevant certs:
mkdir capath
cd capath
wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
wget http://www.startssl.com/certs/sub.class2.server.ca.pem
Generate certificate (ssl_cert_helper):
wget http://blag.felixhummel.de/_downloads/ssl_cert_helper
chmod +x helper
./helper
Verify locally:
openssl verify -CApath capath/ jacob-consulting.de/cert
Verify remotely:
openssl s_client -connect example.org:443
Disabling SSLv3 against Poodle#
This must return a handshake error:
echo 'GET /' | openssl s_client -quiet -connect $domain:443 -ssl3
And here’s the config snippet for nginx:
# https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";