Zeitgemäße Webserver-Konfiguration. Ein Serviervorschlag



Similar documents
AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM)

of HTTP Headers Dirk Licence:

Web Application Security

APACHE HTTP SERVER 2.2.8

Outline Definition of Webserver HTTP Static is no fun Software SSL. Webserver. in a nutshell. Sebastian Hollizeck. June, the 4 th 2013

GlobalSign Solutions

Apache SSL Certificate Deployment Guide

CloudOYE CDN USER MANUAL

Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop

ASV Scan Report Vulnerability Details. UserVoice Inc.

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

CDN Operation Manual

Automated Vulnerability Scan Results

Hypertext for Hyper Techs

Name-based SSL virtual hosts: how to tackle the problem

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

The Hyper-Text Transfer Protocol (HTTP)

esync - Receiving data over HTTPS

Weird New Tricks for Browser Fingerprinting. yan ToorCon 2015

Nginx Tricks for PHP Developers. Ilia

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Implementing HTTPS in CONTENTdm 6 September 5, 2012

Cache All The Things

quick documentation Die Parameter der Installation sind in diesem Artikel zu finden:

i2b2: Security Baseline

TCP/IP Networking An Example

Administering mod_jk. To Enable mod_jk

HTTP Fingerprinting and Advanced Assessment Techniques

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

APACHE WEB SERVER. Andri Mirzal, PhD N

To enable https for appliance

Fast, Scalable And Secure Web Hosting For Entrepreneurs

ASV Scan Report Vulnerability Details PRESTO BIZ

Installing an SSL certificate on the InfoVaultz Cloud Appliance

TYPO3 Security. Jochen Weiland CertiFUNcation 2016

SecuritySpy Setting Up SecuritySpy Over SSL

Project #2. CSE 123b Communications Software. HTTP Messages. HTTP Basics. HTTP Request. HTTP Request. Spring Four parts

A Study of What Really Breaks SSL HITB Amsterdam 2011

Enterprise SSL Support

SSL Report: ebfl.srpskabanka.rs ( )

Chapter 27 Hypertext Transfer Protocol

Product Documentation. Preliminary Evaluation of the OpenSSL Security Advisory (0.9.8 and 1.0.1)

Department of Computing Imperial College London. BrowserAudit. A web application that tests the security of browser implementations

Module 45 (More Web Hacking)

SSL GOOD PRACTICE GUIDE

Creating X.509 Certificates With OpenSSL

Real World Java Web Security

What is Distributed Annotation System?

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

DoD Public Key Enablement (PKE) Quick Reference Guide. Securing Apache HTTP with mod_ssl for Linux

Internet Technologies Internet Protocols and Services

GET /FB/index.html HTTP/1.1 Host: lmi32.cnam.fr

Recent Advances in Web Application Security

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

Table of Contents GEEK GUIDE APACHE WEB SERVERS AND SSL AUTHENTICATION

Ethical Hacking as a Professional Penetration Testing Technique

Nginx "how to" - Fast and Secure Web Server

CS640: Introduction to Computer Networks. Applications FTP: The File Transfer Protocol

HTTP Authentifizierung

SSL GOOD PRACTICE GUIDE

Architecture of So-ware Systems HTTP Protocol. Mar8n Rehák

Parallels Panel. Administrator's Guide to Configuring Apache on Servers Running Parallels Plesk Panel 10. Revision 1.0

Protecting Web Applications and Users

Technical specification

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Best Practices in Hardening Apache Services under Linux

Protect your CollabNet TeamForge site

HTTP Protocol. Bartosz Walter

The Application Layer. CS158a Chris Pollett May 9, 2007.

INVESTIGATION OF DIGITAL CERTIFICATES Creation of self-signed certificate on Windows 8

Securing the OpenAdmin Tool for Informix web server with HTTPS

Hack Yourself First. Troy troyhunt.com

Modern Web Development From Angle Brackets to Web Sockets

Open Source Apache <WAF> Web Application Firewall

Building a Secure RedHat Apache Server HOWTO

Cookbook Secure Failover for Tomcat Application Server Use Apache, mod_proxy, mod_security, mod_ssl to offer secure application delivery

How to setup HTTP & HTTPS Load balancer for Mediator

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

Apache web server magic on IBM i. Alan Seiden Consulting alanseiden.com

Puppet CA: Certificates explained. Thomas Gelf - PuppetCamp Düsseldorf 2014

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

GlobalSign Enterprise Solutions Google Apps Authentication User Guide

International Journal of Engineering & Technology IJET-IJENS Vol:14 No:06 44

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

World Wide Web. Before WWW

Maximizing Performance with SPDY & SSL. Billy Hoffman

Payius. Guide to SSL certicates in ecommerce

owncloud 8 and DigitalOcean Matthew Davidson Bluegrass Linux User Group 03/09/2015

CIA Lab Assignment: Web Servers

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

SSL Certificates in IPBrick

Varnish Tips & Tricks, 2015 edition

Transcription:

Zeitgemäße Webserver-Konfiguration Ein Serviervorschlag

Protokolle

HTTP Seit 1991

TLS 1.0 1999

TLS 1.1 2006

TLS 1.2 2008

HTTP/S

SPDY 2009

HTTP/2 2012.. 2015

HTTP/2 2012.. 2015

Motivation

2016

Szenarien

Status Quo

SSLLabs https://www.ssllabs.com/

Die TLS Ampel TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0 SSLv3 SSLv2

HTTP Response Header

Security Headers https://securityheaders.io

a

X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1;mode=block

# CSP Content-Security-Policy "default-src 'self'; upgradeinsecure-requests";

HTTPS only # HSTS strict-transport-security "max-age=31104000"; includesubdomains; preload; # HPKP Public-Key-Pins "pin-sha256=\"your_hash=\"; pin-sha256= \"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https:// YOUR.REPORT.URL\""

curl -I https://maclemon.at/ [-4-6]

$ curl -I https://maclemon.at/ HTTP/2.0 200 server:nginx date:sun, 27 Mar 2016 12:50:15 GMT content-type:text/html; charset=utf-8 content-length:134619 last-modified:fri, 15 Jan 2016 12:15:53 GMT vary:accept-encoding etag:"5698e2f9-20ddb" x-frame-options:deny x-content-type-options:nosniff x-xss-protection:1; mode=block strict-transport-security:max-age=31104000; includesubdomains; preload public-key-pins:max-age=2592000; pinsha256="rffvg6dixgdwhy4qfcvendkofj2xg3szxqheearv9g8=";pin-sha256="gxaqqxaar +AjznLZGRlBAYOabhv/II5Bc+CL9e7Kpmg=";pin-sha256="5noWBr53rhdxeVxcQagM3hqYu +Cw0m34VjrBo1Cu5Ag=" content-security-policy:upgrade-insecure-requests accept-ranges:bytes

wget -S -O/dev/null https://maclemon.at/ [-4-6]

$ wget -S -O/dev/null https://maclemon.at/ --2016-03-27 14:49:46-- https://maclemon.at/ Resolving maclemon.at (maclemon.at)... 86.59.70.21, 2001:470:6f:4ca:9a26:fb93:ba1c:e29a Connecting to maclemon.at (maclemon.at) 86.59.70.21 :443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx Date: Sun, 27 Mar 2016 12:49:46 GMT Content-Type: text/html; charset=utf-8 Content-Length: 134619 Last-Modified: Fri, 15 Jan 2016 12:15:53 GMT Connection: keep-alive Vary: Accept-Encoding ETag: "5698e2f9-20ddb" X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block strict-transport-security: max-age=31104000; includesubdomains; preload Public-Key-Pins: max-age=2592000; pin-sha256="rffvg6dixgdwhy4qfcvendkofj2xg3szxqheearv9g8=";pin-sha256="gxaqqxaar +AjznLZGRlBAYOabhv/II5Bc+CL9e7Kpmg=";pin-sha256="5noWBr53rhdxeVxcQagM3hqYu+Cw0m34VjrBo1Cu5Ag=" Content-Security-Policy: upgrade-insecure-requests Accept-Ranges: bytes Length: 134619 (131K) [text/html] Saving to: /dev/null /dev/null 100% [=============================================================================>] 131.46K 509KB/s in 0.3s 2016-03-27 14:49:47 (509 KB/s) - /dev/null saved [134619/134619]

High Tech Bridge https://www.htbridge.com/websec/

Browser

Qualys SSLLabs https://www.ssllabs.com/ssltest/viewmyclient.html

RC4 Test https://rc4.io/

Uni-Hannover https://cc.dcsec.uni-hannover.de/

about:config

chrome://net-internals/

Webserver Konfiguration

https://bettercrypto.org/

BetterCrypto Arbeitstreffen 2016-05-23, 18:00 MESZ, CERT.at

httpd 2.4

mod_ssl mod_header

mod_h2 HTTP/2

/etc/apache2/httpd.conf NameVirtualHost *:443 # Linux / Windows # AcceptFilter http data AcceptFilter https data # FreeBSD # AcceptFilter http httpready # AcceptFilter https dataready /etc/apache2/ports.conf Listen 443

<VirtualHost *:443> ServerName www.yoursite.com DocumentRoot /var/www/site SSLEngine on Protocols h2 http/1.1 SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH +arsa+sha384:eecdh+arsa+sha256:eecdh: +CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:! LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256- SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

SSLHonorCipherOrder On SSLCompression off # TLS_DHE_ SSLDHParametersFile /etc/ssl/dh4096.pem </VirtualHost>

Security Header

# For HTTPS only # HSTS Header always set strict-transport-security "maxage=15768000" # HPKP Header always set Public-Key-Pins "pin-sha256=\"your_hash= \"; pin-sha256=\"your_backup_hash=\"; max-age=7776000; report-uri=\"https://your.report.url\""

# For HTTPS and HTTP Header always set X-Frame-Options DENY Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" # CSP Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; upgradeinsecure-requests"

HTTP " HTTPS 301

# mod_rewrite syntax <VirtualHost cert.at:80> RewriteRule ^/?(.*) https://%{server_name}/$1 [R,L] </VirtualHost> # mod_alias syntax <VirtualHost cert.at:80> Redirect permanent / https://%{server_name}/ </VirtualHost>

ServerTokens Prod[uctOnly] Server: Apache

nginx 1.10 stable / 1.11 mainline

--with-http_ssl_module

--with-http_v2_module HTTP/2

server { # listen [2001:470:6f:4ca:9a26:fb93:ba1c:e29a]:443 ssl http2 deferred; # Tux listen [2001:470:6f:4ca:9a26:fb93:ba1c:e29a]:443 ssl http2 accept_filter=dataready; # FreeBSD server_name maclemon.at; ssl_certificate_key /etc/nginx/certificates/maclemon.at.key; ssl_certificate /etc/nginx/certificates/maclemon.at_chained.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA +SHA384:EECDH+aRSA+SHA256:EECDH: +CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:! LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!

ssl_prefer_server_ciphers on; # TLS_DHE_ ssl_dhparam /etc/nginx/dhparam/dh4096.pem; # TLS compression is automatically turned OFF in # nginx 1.1.6+/1.0.9+ (if OpenSSL 1.0.0+ used) # nginx 1.3.2+/1.2.2+ (if older OpenSSL). # spdy_headers_comp 0; # SPDY Header Compression off ssl_ecdh_curve secp384r1; # Speed improvements to first byte for smaller files. ssl_buffer_size 4k; }

Security Header

# For HTTPS only # HSTS add_header strict-transport-security "max-age=31104000; includesubdomains; preload" always; # HPKP add_header Public-Key-Pins 'max-age=2592000; pinsha256="rffvg6dixgdwhy4qfcvendkofj2xg3szxqheearv9g8=";pinsha256="gxaqqxaar+ajznlzgrlbayoabhv/ii5bc+cl9e7kpmg=";pinsha256="5nowbr53rhdxevxcqagm3hqyu+cw0m34vjrbo1cu5ag="' always;

# For HTTPS and HTTP add_header X-Frame-Options DENY always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; # CSP add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' upgrade-insecure-requests" always;

HTTP " HTTPS 301

server { listen [2001:470:6f:4ca:9a26:fb93:ba1c:e29a]:80; server_name maclemon.at; server_name www.maclemon.at; server_name [2001:470:6f:4ca:9a26:fb93:ba1c:e29a]; } return 301 https://maclemon.at$request_uri; # return 301 https://$server_name$request_uri;

server_tokens off; Server: nginx

Handlungsbedar F

A

Fragen?

Zeitgemäße Webserver-Konfiguration https://media.ccc.de/c/eh16 https://maclemon.at/talks @leyrer @MacLemon

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information