Typical nginx config with https and hypnotoad ?

[pie...@couderc.eu]

Is there an exemple of nginx config for hypnotead and https ?

Thank you
PC

[Luc didry]

I give a nginx configuration snippet on Lutim's wiki: https://
git.framasoft.org/luc/lutim/wikis/installation

It's working, but I can't tell you it's the ultimate configuration file
for hypnotoad. Don't forget to set the proxy option of hypnotoad if
you're using nginx: that prevents some headaches (http://mojolicio.us/
perldoc/Mojo/Server/Hypnotoad#proxy).
--
Luc
https://fiat-tux.fr/
Internet n'est pas compliqué, Internet est ce que vous en faites.

[Rob Willett]

Pierre,

Since I normally cannot help on Mojolicious stuff, I'm pleased I can help on this.

Here's our actual Nginx config for a production server that we run. I have changed the domain names over to protect the innocent, me!

It provides an https connection to a Hypnotoad backend. Users connect from either a Apple or Google phone on port 3,000 over an https connection. Nginx makes the connection to Hypnotoad over http on port 3001 on the same server.

The rest of the stuff is changes to the security configuration to remove less secure encryption, which may or may not interest you. It is left in for completeness. 

We run 16 workers under Hypnotoad and so far performance is OK. However we are still ramping users up.

server {

       listen 3000;

     server_name XXX.YYYY.com;

        ssl on;

ssl_certificate /etc/ssl/certs/SSL.crt;

ssl_certificate_key /etc/ssl/private/server.key;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

   ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        ssl_prefer_server_ciphers on;

  ssl_dhparam /etc/ssl/private/dhparams.pem;

        location / {

                proxy_set_header        Host $host;

                proxy_set_header        X-Real-IP $remote_addr;

                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

                proxy_set_header        X-Forwarded-Proto $scheme;

                 # Fix the “It appears that your reverse proxy set up is broken" error.

                proxy_pass          http://127.0.0.1:3001;

                proxy_read_timeout  90;

                 proxy_redirect      http://127.0.0.1:3001 https://XXX.YYYY.com;

       }

}

Hope this is of use,

Rob

[pie...@couderc.eu]

Thank you very much, Rob, it is exactly what I was looking for !

[pie...@couderc.eu]

Thank you very much for your config file, that I am testing now.
I have worked on your sophisticated ssl parameters and implemented them.
Then I did submit my site on https://www.ssllabs.com/ssltest/analyze.html
And I was surprised to see that it passes very fine the tests except about ssl3 :
"This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C".

I do not understand this failure as it seems to me that ssl3 is not enabled...
What do you think of that...?

[Luc didry]

That is kind of outside the subject of this list (eg Mojolicious, and
here you talk about your TLS nginx configuration) but have a look at the
https://bettercrypto.org/ recommendations, you'll get the best advices
ever.

Here's why you can be subject to POODLE, even without SSLv3: https://
community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls