SecNginX is a toolbox, which helps to:
- Build the latest stable NginX with selected modules from source
- Setup a basic file structure (Based on server-configs-nginx)
- Apply best practice Security Headers and TLS-Config
- Provide hybrid RSA/ECDSA certificates
- Submit RSA/ECDSA certificates to all Certificate Transparency Logs, currenctly active in Chrome
The aim of this project is to provide a fast solution to setup a secure, efficient and minimal NginX server. If you are searching for a more individual nginx build tool, shoot an eye on nginx-build.
- Download and extract the lastest release
- Make it executable
chmod +x secnginx - Edit
config.tomlto your desires (especially check for the most recent OpenSSL and NginX versions) - (Debian 10 only) Install
automake-1.16:wget https://ftp.gnu.org/gnu/automake/automake-1.16.tar.gz && tar xfvz automake-1.16.tar.gz && cd automake-1.16 && ./configure && make && make install - Start NginX installation
./secnginx install- Check optional parameters with./secnginx help install
- OpenSSL 1.1.1-pre (TLS 1.3) - Version is configurable
- Dynamic TLS Records patch to optimize latency
- Dynamic CORS rules
- Brotli Compression algorithm
- Nginx-CT for using the Certificate Transparency TLS Extension Important Note: CT signature validation is currently not supported in TLSv1.3
- Headers-More for advanced output headers
- Cookie Flags Set Cookie Flags in NginX -
HttpOnlyis preset for all cookies in the delivered NginX config - Up to date SSL and cipher list configuration
- Generate strong 4096bit Diffie-Hellmann parameters
-
Request RSA and ECDSA certificates from letsencrypt and setup HSTS-Preload
Example commands using lego
./lego -a -m [email protected] -d example.com --webroot /var/www/ --path /etc/nginx/ssl/ecdsa -k ec384 runfor an EC384 certificate./lego -a -m [email protected] -d example.com --webroot /var/www/ --path /etc/nginx/ssl/rsa -k rsa4096 runfor an RSA4096 certificate
-
Submit your received certificates to various CT Logs using
secnginx submit-ct --input <path to public key> -output <path to output folder>- Please note that Let's Encrypt submits your certificates to some CT Logs by default.
-
Setup a CAA-DNS Record
-
Create website specific Content-Security-Policy headers
-
Check the existing
ssl_basic.confsettings (especially the headers!) -
Setup AAAA-DNS Records to use IPv6
-
Check your Security Headers
-
Check your overall SSL deployment: SSL Labs
-
Check the Nginx Admin Handbook for further hardening & best practices
Please don't forget to setup DNSSEC before using TLSA/DANE!
When using short lived certificates, like these being issued by letsencrypt, you probably want to create your own Certificate Signing Request (CSR), because ACME clients like lego will generate a new private key for every renewal. As a consequence your certificates public key will change, which results in the need to change your DANE DNS records on every cert renewal.
In case you want to deploy hybrid ECDSA/RSA certificates, follow this steps
- Create secure RSA and ECDSA private keys. Don't forget to store them somewhere safe!
openssl genrsa -out rsa_privkey.pem 4096openssl ecparam -name secp384r1 -genkey -out ecdsa_privkey.pem
- Create CSR based on your private keys, don't specify a challenge password!
openssl req -out rsa_csr.csr -key rsa_privkey.pem -newopenssl req -out ecdsa_csr.csr -key ecdsa_privkey.pem -new
- Submit your generated CSR to lego or another ACME client
./lego -m [email protected] -a --csr="ecdsa_csr.csr" --webroot /var/www/ --path /etc/nginx/ssl/ecdsa run./lego -m [email protected] -a --csr="rsa_csr.csr" --webroot /var/www/ --path /etc/nginx/ssl/rsa run
- Generate your required DNS Records using SSL-Tools TLSA Record Generator and publish them
- No support for DHE key exchange
- No hybrid RSA/ECDSA certificates
- No OCSP stapling
- No support for Certificate Transparency Timestamps