> Also it's worth to look at the recent nginx blog post regarding > heartbleed: > > http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/ > thanx for the link maxim, has been incorporated regards, mexby mex - Nginx Mailing List - English
Guide to Nginx + SSL + SPDY has been updated with some infos, links and tests regarding heartbleed https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#heartbleed regards, mexby mex - Nginx Mailing List - English
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. https://www.openssl.org/news/secadv_20140407.txt http://heartbleed.com/ http://www.reddit.com/r/netsec/comments/22gym6/diagnosis_of_the_openssl_heartbleed_bug/ http://security.stackexchange.com/search?q=heartbleed regards, mexby mex - Nginx Mailing List - English
thanx, nice tool! i integrated this into our ssl-guide https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#testing-ssl-setupsby mex - Nginx Mailing List - English
web: https://testssl.sh/ repo: https://bitbucket.org/nginx-goodies/testssl.sh testssl.sh is a free Unix command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. It's designed to provide clear output for a "is this good or bad" decision. It is working on every Linux distribution which hby mex - Nginx Mailing List - English
Hi List, i'm proud to announce the comeback of the nginx-sticky-module. i included a patch by markus linnala to mark route-cookies httponly/secure and put the modified version online: https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng i'll keep care of this module and test for compatibility with future-releases of nginx. feel free to contact me if you have requirements foby mex - Nginx Mailing List - English
hi coderman, icreasing the headerr_size is not a solution, since i look for a generic solution to circumvent the outcome of those malicious request. a possible way to handle this is a lighweight WAF-solution, lua comes to my mind :) regards, mex p.s. we're working on a lighweight lua-based waf as addition to naxsi; but this is very early alpha atm, more on this later.by mex - Nginx Mailing List - English
very interesting read: http://homakov.blogspot.de/2014/01/cookie-bomb-or-lets-break-internet.html from thze blogpost: "TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those cookies and servers will reject the requests, because Cookie header will be very long. The entire Internet will look downby mex - Nginx Mailing List - English
Hi List, i have a strange performance-issue on a server that serves static-files only (http + https), if files are bigger than 5k: - rps drops from 6500 rps (empty file) to 13 rps when requesting a file > 5k - perftest with location /perftest/ is at 8000 rps (https) / 15000 rps (http) - perftest with empty.html is 6500 rps (https) / 13000 rps (http) - perftest with 5k script.js is 150by mex - Nginx Mailing List - English
hi darren, your ciphers look very good! i included your suggestion in my ssl-guide, looking forward to perftest those cipher_suites. regards, mexby mex - Nginx Mailing List - English
Hi List, for thos of your who have to deal with SSL there is a goodie, released by Ivan Ristic; see http://blog.ivanristic.com/2013/10/openssl-cookbook-v1.1-released.html from the Blog: OpenSSL Cookbook is a free ebook based around one chapter of my in-progress book Bulletproof SSL/TLS and PKI. The appendix contains the SSL/TLS Deployment Best Practices document (re-published witby mex - Nginx Mailing List - English
hi agentzh, your points are valid, but i talk about heisenbugs and the ability to monitor a certain ip; you know, theres WTF??? - errors :) please note, on the infrastructure i talk about we have usually debug-logs disabled, and the bottleneck is usually the app-servers. but thanx for your answer, i'll invest some time and check your toolchains, especially systemtap. is systemtapby mex - Nginx Mailing List - English
hi maxim, thanx, thats what i did expected. i did installed the --with-debug - enabled version on site with ~ 2000 rp/s during daytime, nothing to see so far. thanx for checking! regards, mexby mex - Nginx Mailing List - English
did you tried to turn it off and on again? sorry, but from your description no one would be able to help you. regards, mexby mex - Nginx Mailing List - English
maybe you ask the person who creates the packages how nginx was build, which openssl-version applies etc pp. can you execute "openssl version" on the server nginx runs on?by mex - Nginx Mailing List - English
how did you compiled nginx, with openssl-sources via --with-openssl=/path/to/sources ? i could imagine that, if not, your (outdated) distros openssl-dev might be used. i have this issue when compiling nginx on debian; i have to download openssl and point nginx where to find the sources but since openssl recognizes openssl 1.0.1e ... this seems fishy somehow, as if you are potentially capby mex - Nginx Mailing List - English
hmm, looks like some mismatch: in yoiur config you define ECDH, but in your screenshot i see DH configured (please compare your screenshot with the ssllabs-link i provided, esp. the cipher-suites/handshake - part. should be: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS is: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) DH 4096 bits yby mex - Nginx Mailing List - English
btw, check the following for a reference for PFS-setup: https://www.ssllabs.com/ssltest/analyze.html?d=makepw.com ssl-settings are: ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MDby mex - Nginx Mailing List - English
Hi justin, > even though I am using all the recommend settings. which recommended settings? recommended by whom? i learned that, from ssllabs-view, only the cipher-suites recommended by ivan ristic seem to work: http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#perfect-forward-secrecy all other cipher-suites i found "somewhere" that should enable PFS dont seem to worby mex - Nginx Mailing List - English
what is your problem then?by mex - Nginx Mailing List - English
i have a question regarding the --with-debug - option; do i have to expect much overhead, when compiling nginx with that option, but have it disabled per default? i'd like to have it at hand for debugging certain issues every then and there. regards, mexby mex - Nginx Mailing List - English
Hi, what you are looking for is the "include" - statement, see here: http://nginx.org/en/docs/ngx_core_module.html#include regards, mexby mex - Nginx Mailing List - English
Hell FoxBin, can you please post your whole proxy_* - config? since your footer.html gets included and displayed via 1/2/3.html, this file itself will never get cached, thus never can be purged, because it becomes part of the output of 1/2/3.html. "simple" caching is done based on URLs regards, mexby mex - Nginx Mailing List - English
Hi Valentin, > > In your section about BREACH requirements: > correct(ed) thanx mexby mex - Nginx Mailing List - English
Updates: - SSL Client Authentication - BREACH - incorporated suggestions from the list http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/ regards, mexby mex - Nginx Mailing List - English
hi, thanx everybody for comments. a guid on howto nginx + authorization via client certs will be included in the next version of this document i'll investigate that gzip-comment, but from what i read so far: http-compression even in https is ok, while ssl/tls-compression is not; i'l include any findings and solution, but i'm not finished with that yet. regards, mexby mex - Nginx Mailing List - English
> rewrite ^/index\.php?title=(.*)$ http://www.mysite.com/$1 redirect; this doesnt work? what is $1 then in the redirected request?by mex - Nginx Mailing List - English
hi list, i recently had to dig deeper into nginx + ssl-setup and came up with a short documentation on how to setup and run nginx as SSL-Gateway/Offload, including SPDY. beside basic configuration this guide covers HSTS-Headers, Perfect Forward Secrecy(PFS) and the latest and greatest ssl-based attacks like CRIME, BEAST, and Lucky Thirteen. Link: http://www.mare-system.de/blog/page/by mex - Nginx Mailing List - English
the answer is yes: http://wiki.nginx.orgby mex - Nginx Mailing List - English
how do you execute your php? if you reverse proxying to an apache you might use suphp, as usual: http://www.suphp.org/Home.html php-fpm has a similar option, as alex mentioned if you really need to define workers for each server, run an nginx-instance for each of your websites; you can define an own user for each instance.by mex - Nginx Mailing List - English