Nginx#

How To Build Nginx on Ubuntu 12.04#

 1#!/usr/bin/env bash
 2set -x
 3
 4export NGINX_VERSION=1.2.1
 5export PREFIX=/opt/nginx
 6
 7curl -O http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz || exit 1
 8git clone https://github.com/yaoweibin/nginx_tcp_proxy_module.git
 9tar -xvzf nginx-$NGINX_VERSION.tar.gz
10cd nginx-$NGINX_VERSION
11patch -p1 < ../nginx_tcp_proxy_module/tcp.patch
12#./configure --add-module=../nginx_tcp_proxy_module/
13./configure --prefix=$PREFIX --user=nginx --group=nginx --with-http_ssl_module --with-http_geoip_module --with-http_flv_module --add-module=../nginx_tcp_proxy_module/
14sudo make && make install

build_nginx.sh

From: http://www.letseehere.com/reverse-proxy-web-sockets

Installing StartCOM SSL Certificates#

http://blurringexistence.net/index.php?url=archives/5-nginx-and-StartSSL.html

Get all relevant certs:

mkdir capath
cd capath
wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
wget http://www.startssl.com/certs/sub.class2.server.ca.pem

Generate certificate (ssl_cert_helper):

wget http://blag.felixhummel.de/_downloads/ssl_cert_helper
chmod +x helper
./helper

Verify locally:

openssl verify -CApath capath/ jacob-consulting.de/cert

Verify remotely:

openssl s_client -connect example.org:443

Disabling SSLv3 against Poodle#

This must return a handshake error:

echo 'GET /' | openssl s_client -quiet -connect $domain:443 -ssl3

And here’s the config snippet for nginx:

# https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
On this page