Nginx

How To Build Nginx on Ubuntu 12.04

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
#!/usr/bin/env bash
set -x

export NGINX_VERSION=1.2.1
export PREFIX=/opt/nginx

curl -O http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz || exit 1
git clone https://github.com/yaoweibin/nginx_tcp_proxy_module.git
tar -xvzf nginx-$NGINX_VERSION.tar.gz
cd nginx-$NGINX_VERSION
patch -p1 < ../nginx_tcp_proxy_module/tcp.patch
#./configure --add-module=../nginx_tcp_proxy_module/
./configure --prefix=$PREFIX --user=nginx --group=nginx --with-http_ssl_module --with-http_geoip_module --with-http_flv_module --add-module=../nginx_tcp_proxy_module/
sudo make && make install

build_nginx.sh

From: http://www.letseehere.com/reverse-proxy-web-sockets

Installing StartCOM SSL Certificates

http://blurringexistence.net/index.php?url=archives/5-nginx-and-StartSSL.html

Get all relevant certs:

mkdir capath
cd capath
wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
wget http://www.startssl.com/certs/sub.class2.server.ca.pem

Generate certificate (ssl_cert_helper):

wget http://blag.felixhummel.de/_downloads/ssl_cert_helper
chmod +x helper
./helper

Verify locally:

openssl verify -CApath capath/ jacob-consulting.de/cert

Verify remotely:

openssl s_client -connect example.org:443

Disabling SSLv3 against Poodle

This must return a handshake error:

echo 'GET /' | openssl s_client -quiet -connect $domain:443 -ssl3

And here’s the config snippet for nginx:

# https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";