Improve SSL: Use Mozilla SSL Intermediate Config / Enable Reuseport / Extend HSTS


(RoldanLT) #1

With the recent Discourse version.
I’m using this config: Generate Mozilla Security Recommended Web Server Configuration Files

nano templates/web.ssl.template.yml

Modify the ssl config to:

       listen 443 ssl http2 reuseport;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
       ssl_prefer_server_ciphers on;
       ssl_ecdh_curve secp384r1;

       ssl_certificate /shared/ssl/ssl.crt;
       ssl_certificate_key /shared/ssl/ssl.key;

       ssl_session_tickets off;
       ssl_session_timeout 1d;
       ssl_session_cache shared:SSL:50m;

       gzip on;

       add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

nano templates/web.letsencrypt.ssl.template.yml

Modify the very bottom config to:

add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';

Then:

./launcher rebuild app

I hope I posted on the right category.


(RoldanLT) #2

Result:


(Robby O'Connor) #3

Why not make a PR :wink:


(RoldanLT) #4

I’ll try.
Haven’t tried github pull request yet :D.


(RoldanLT) #5

I hope I did it right:



(Sam Saffron) #6

@mpalmer you have been summoned to this topic :walking:


(Robby O'Connor) #7

Why so many PRs? You could have done this in one…


(Sam Saffron) #8

I asked for more PRs, 1 PR per functional change.


(Robby O'Connor) #9

Oh, that makes sense.


(Matt Palmer) #10

You’ve got to say my name three times. Preferably into a mirror at midnight.


(Robby O'Connor) #11

Careful – this could get scary if you accidentally say Beatlejuice or Bloody Mary…jus sayin.


(Sam Saffron) #12

I don’t see this screenshot as any progress over what we have today:

IE8 XP support, Android 2.3.7 support … I do not particularly care about them at all.


(RoldanLT) #13

Lucky you having site users with updated system and browsers.

Sadly I still have 10% of my total visitors using Windows XP and some IE8 and even old Android.

StackExchange sites also use that whole cipher suite.


(Sam Saffron) #14

Well they can not use Discourse anyway, so I don’t see the point in allowing them access to a page that simply shows “your browser it too old”


(Jeff Atwood) #15

Discourse has always had unapologetically and extremely high browser requirements. We barely work on IE11 these days… will probably drop IE11 support in 2018 as well.


(Simon Clausen) #16

From a user experience point of view that message would be better than a timeout or tls error and maybe prompt the person visiting to get a proper browser :slight_smile:


(Sam Saffron) #17

Sure, if that is a requirement for your users feel free to amend your SSL config in NGINX. The global market share of IE8/6 on Windows XP is not big enough for me to feel it is justified to cannibalise our default config for users that can probably be owned anyway after 5 minutes of browsing the modern web.