[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[jag131990]

you can still do pkg upgrade, it will just overwrite your port install with the package. Which is fine in this case, since it has SSL enabled so it won't all of a sudden break things for you.

Thanks again Josh. Performed the upgrade all working still as you said.

 

[Joshua Parker Ruehlig]

View attachment 15951

Here is the ssllabs test result after final build/install. Any comments? Seems pretty poor lol.

I use HAProxy for my SSL on my pfsense router, so my settings would be different.

I get an A+ by limiting myself to only 2 ciphers with "ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA no-sslv3"

 

[jag131990]

I use HAProxy for my SSL on my pfsense router, so my settings would be different.

I get an A+ by limiting myself to only 2 ciphers with "ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA no-sslv3"

Thanks. I'll maybe look into that one day.. watched your vid few months ago and remember your closet with the dedicated router machines.

For me that is over the top looking for a simple way to get this hardened ready to place on the internet for basic family use.

Any suggestions how to harden for the rest of us?

 

[Joshua Parker Ruehlig]

Thanks. I'll maybe look into that one day.. watched your vid few months ago and remember your closet with the dedicated router machines.

For me that is over the top looking for a simple way to get this hardened ready to place on the internet for basic family use.

Any suggestions how to harden for the rest of us?

you could replicate my cipher choices on nginx, I just don't know anything about configuring SSL on nginx.

 

[Jailer]

View attachment 15951

Here is the ssllabs test result after final build/install. Any comments? Seems pretty poor lol.

Yeah real poor. Follow this guide for better results:
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

 

[NasKar]

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

I had found that site earlier but didn't have any luck going from B with a RC4 error. After your post I tried again. Adding to my nginx.conf

Code:

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
 ssl_dhparam /usr/local/etc/nginx/ssl/dhparam.pem;

cd /usr/local/etc/nginx/ssl
openssl dhparam -out dhparam.pem 4096
Now I'm getting an A

 

[Jailer]

You can achieve an A+ by enabling forward secrecy and HTTP strict transport security.

Whatever you do DO NOT enable public key pinning, you can brick your domain if you get it wrong. Not brick your site, brick your domain.......

 

[jag131990]

I had found that site earlier but didn't have any luck going from B with a RC4 error. After your post I tried again. Adding to my nginx.conf

Code:

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /usr/local/etc/nginx/ssl/dhparam.pem;

cd /usr/local/etc/nginx/ssl
openssl dhparam -out dhparam.pem 4096
Now I'm getting an A

What does that last bit do?

I love this forum.

 

[Jailer]

View attachment 15951

Here is the ssllabs test result after final build/install. Any comments? Seems pretty poor lol.

Well it looks like the base openssl version in FreeBSD 10.3 is vulnerable. According to the openssl site:

The OpenSSL 1.0.1 series of releases are now out of support. Please upgrade to 1.1.0 or 1.0.2.

So it looks like for anything internet facing we are back to installing the ports version of openssl which also means installing the ports version of nginx too so it uses the ports version of openssl.

Sigh......

 

[NasKar]

What does that last bit do?

I love this forum.

I couldn't explain it but you can read that section of the web site. The last part generates a 4096 bit encryption for the Diffie Hellman Key.

You can achieve an A+ by enabling forward secrecy and HTTP strict transport security.

Code:

add_header Strict-Transport-Security "max-age=0; includeSubDomains; preload;";

I've add this already but don't see any command for the nginx.conf to addi forward secrecy.
I used max-age=0 so I could get to my other http stuff on my other servers. Will a larger number it would give a 403 error and insist on using https.

 

[Jailer]

Will a larger number it would give a 403 error and insist on using https.

Yeah that's what Strict Transport Security does. It will only allow you to connect to your site via https after the initial visit. Setting that to 0 effectively disables it.

 

[Joshua Parker Ruehlig]

Well it looks like the base openssl version in FreeBSD 10.3 is vulnerable. According to the openssl site: So it looks like for anything internet facing we are back to installing the ports version of openssl which also means installing the ports version of nginx too so it uses the ports version of openssl.

Sigh......

I bet FreeBSD backports fixes to keep even non-supported versions of openssl from being vulnerable for versions of FreeBSD they still support.

There is command a way to check your vunerable package, maybe this would give insight.

 

[Jailer]

I don't know but it looks like according to the fixes listed here there doesn't seem to be a workable solution for a jail.

 

[Joshua Parker Ruehlig]

I don't know but it looks like according to the fixes listed here there doesn't seem to be a workable solution for a jail.

wow hmm, wonder if nginx builds with openssl from ports by default? theres probably a way to show what version of openssl nginx is built with.

 

[Jailer]

Well I guess I could install the openssl port in my proxy jail and see if the package nginx picks it up. A quick test at ssl labs would show whether it does or not.

Stay tuned, I'll report back shortly.....

 

[Jailer]

Well as I expected, no dice. I had to install openssl and nginx from ports to get rid of the vulnerability. I'm back to an A+ now at SSL labs server test.

 

[jag131990]

Well as I expected, no dice. I had to install openssl and nginx from ports to get rid of the vulnerability. I'm back to an A+ now at SSL labs server test.

Hey Jailer,

Can you detail out the steps here?
Can you provide the relevant section in your conf file also?

Interested to make these same changes. I am guessing we must be wary of pkg update and if we do to then remember to uninstall and reinstall from ports?

Thanks!

 

[jag131990]

Well as I expected, no dice. I had to install openssl and nginx from ports to get rid of the vulnerability. I'm back to an A+ now at SSL labs server test.

So I just removed nginx and openssl and set in my make.conf file
DEFAULT_VERSION+=SSL=openssl

Then I installed from ports the nginx and open SSL and reran the test. Exact same output, still vulnerable. Weird thing was after i pkg removed the openssl I typed 'openssl' and it knew the command like it maybe never removed fully.

Going to need your help

Code:

root@nextcloud_cb:/usr/ports/www/nginx # openssl version -a
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
platform: FreeBSD-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: clang
OPENSSLDIR: "/etc/ssl"

 

[jag131990]

Wow weird the port install was 1.0.2 so I removed it again and ran openssl version -a, still shows as freebsd 1.0.1. Not removing for some reason.

PKG remove openssl shows no match

 

[Jailer]

Hey Jailer,

Can you detail out the steps here?
Can you provide the relevant section in your conf file also?

Interested to make these same changes. I am guessing we must be wary of pkg update and if we do to then remember to uninstall and reinstall from ports?

Thanks!

Later today after work I'll do a quick quick write up.