Setting up HTTPS: the quest for a solid security config

Apr 30, 2016

I bought a shared hosting plan that lasted me almost a year before I decided to get something more powerful. Today I’ll tell you what I did to get a respectable HTTPS configuration in my recently deployed cloud server.

Motivation

Having a shared hosting plan is great. You log in to cPanel and you have tons of menu options, a search bar to look for settings and you can call yourself a certified system administrator from day 1… On the other side you can only have static content, a bundle of common software options and your performance will depend on the server you’re hosted in: if it has poor specs (or too many clients in it), you’d see your blog, forum or e-commerce store drag with lag beyond what any user would bare. Besides my static content, I had my own little blog, but even that was too much to ask. I was accessing my blog’s admin page via HTTP, sending my (weakest) password in clear text over the wire. I wanted to add security and only serve content via HTTPS. To do that, my monthly fee would rise from 2€/month to 6€/month , with no added performance benefits. This was the final nail in the coffin for my would-be server. I needed a real server, no shackles included. Fast forward a couple of weeks and I’m currently very happy using DigitalOcean’s cheapest droplet.

Planning ahead for the move

In the last months I had increasing interest for NodeJS. I wanted to build a website with it, and I knew I wouldn’t stop thinking about it until I actually had it. Suffice to say that well before my move to a cloud server, I already knew what backend would serve my content. But there were other concerns! What about speed? Node is all about speed, but there’s no built-in cache module. No listening on port 80 or 443 out of the box, not without running it as root. I searched for a better way and found that I could and should leverage on a bulletproof, battle-hardened web-server like Apache or NGINX to have requests cached and even handle SSL for me. In turn, this would make my actual server code ever so simple. But which one to choose? I had worked with Apache before, but I had heard of NGINX as a more scalable option, with excellent caching capabilities. Having searched for configuration files, I found them to be intuitive enough, and the choice was made. As soon as I got my Droplet and a server certificate I could start working on making everything stick together.

More on the case of NGINX

Node has a HTTPS module. There are ways to run a Node server on port 443. But does it really make sense to do so? This is my first server, and I might/will use it for more than one project. So how would I ever run multiple servers on standard web-server ports? And what about cache? If I had 10 node servers running, I’d have some serious code plumbing work in order to cache requests for all servers. Don’t even get me started on SSL handling. I think you get my point. Just Node is probably not the best way to deploy things: NGINX can act as a reverse proxy. Think about it. SSL settings and cache are all handled for me. I start my node server(s), and set them up in user available ports. I then set config files for my website and redirect all requests to the port on which the node server is running. This way I can have multiple sites configured, and multiple servers per site (e.g. requests to goncalotomas.com/api-for-a-random-project might get redirected to the node server running on port 9090).

NGINX setup

So here we are, setting up website configuration files with a server certificate in hand. Let’s see what an initial version would look like:

server {
  # HTTP B gone
  listen 80;
  redirect 301 https://$host$request_uri
}

server {
  # SSL settings
  listen 443 ssl;
  server_name goncalotomas.com;
  ssl_certificate /path/to/your/ca-bundle/file
  ssl_certificate_key /path/to/your/private/key

  location / {
    proxy_pass http://localhost:9090;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

Remember kids: HTTPS only. It’s the safest way to go. That’s what the first server entry is doing there: redirecting all standard HTTP requests to HTTPS. Note that this is a simple config file I copied from the NGINX docs. That doesn’t necessarily mean you get the best HTTPS config just using these settings. In fact, if you were to visit securityheaders.io with our current configuration, you’d see a big fat F… because we still don’t have any security headers. But as with any security topic: one should not fiddle with what one does not understand. So I will give you a one-liner definition for the security headers we will be using:

Content Security Policy (CSP): Basically a way of whitelisting content sources, including images, scripts and styles. Anything you add to your pages that comes form a source not listed in the CSP will not be executed/displayed.
HTTP Strict-Transport-Security (HSTS): A way to tell browsers to keep using HTTPS connections to speak with your server.
X-XSS-Protection: Force enabling a browser’s XSS filter, just in case a user might have disabled it.
X-Content-Type-Options: Making sure that MIME types are not inferred through their content. If the MIME content-type is “text/html”, it will always be displayed as “text/html”.
X-Frame-Options: Whitelist of sources where your content can be iframed in, essentially offering protection against clickjacking.
HTTP Public Key Pinning (HPKP): List of hashes containing public keys used in your certificates. Useful for protecting against rogue certificate attacks.

I need to warn you about HPKP. The current specification document strongly recommends having a backup key and listing that public key as well. If your certificate gets compromised, you still have your backup. It is also recommended to keep the backup key offsite and offline, because if you keep both in the same server and if an attacker is able to compromise one key, he will find the backup key in no time. I’m warning you because if you keep your backup in the same place or if you don’t have a backup and your certificate key is compromised, then adding a new cert might make your visitors see nasty warnings in their browser, since you did not pin the new key in the header. That’s the last thing you want!

I could list all values for each individual header, but this post is already huge. When you’re querying your own website at securityheaders.io, it tells you what you should have in your missing server headers. It shouldn’t take you more than 30 minutes to set them up. 🙂

But wait… There’s more!

There are more things you should keep track of. Firstly, read this wonderful article. And this one. They tell you just how security headers are nothing but a bunch of bullshit if you don’t watch out for your other settings. A successful attacker seldom uses complex attack vectors — he/she will choose the easiest path. If you’re going to work or be responsible for security, you need to put in some extra effort. Enter the infamous SSL settings.

I have found two main issues with SSL settings: Diffie-Hellman protocol parameters and the ciphersuites that your server can work with. Let’s talk about both:

Diffie-Hellman parameters

There’s a reasonable chance that this website explains this issue way better than I do. But I’ll try anyways because I’m that guy that tries to explain everything. In short, there are several groups of 1024-bit prime numbers that are used in the Diffie-Hellman key exchange protocol by millions. Would anything tempt the NSA more than precomputing and brute force these numbers so they could be able to eavesdrop communications that everyone thought were safe? What you can do to solve this issue is to use a stronger, out of the mainstream group of Diffie-Hellman parameters in order to make sure your server’s key exchange protocol is as safe as can be. I trust your Googling skills to find how to make it work.

Accepted ciphersuites

This one is a tricky one because people tend to overlook important security news. Security vulnerabilities get discovered now and then, and it’s your job to make sure that no vulnerable configuration is accepted by your server. That is done by maintaining an updated list of accepted ciphersuites. At the time of writing this, here is my “ciphersuite string”:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Again, it is your job to keep this list updated: allow for newer protocols to come and block old or vulnerable ones. Do it right and it will save your bacon. I like bacon, so I’m going to keep my list updated.

Outcome

After this unbelievably long post and all these complicated notions and settings, what you should get is a top grade in both securityheaders.io and in ssltest. This means that you have put a good effort in protecting your users’ data across the wire. Some users, especially developers, value this very much. If you’re selling a service or product and you have not done this work, one might think where else you might have saved time and money… 🤔

Bonus: migration headaches

In the beginning I said I had a shared hosting and how it was so easy to create and manage email accounts, add DNS settings, mess with databases, etc… Big boys have to do everything by hand I guess.. And for your pleasure and amusement, here I am writing about the nightmare that was understanding and migrating everything correctly.

Firstly, the email. My hosting had 2GB disk space, for website files and email (freaking scrooges!). After a long session of Googling I found my lord and saviour, Zoho. They have a free hosted email package with 5GB, and all you have to do is follow a migration wizard that basically clones your old email boxes so you don’t lose anything, and it gives you precise and intuitive instructions on how to change the DNS settings in order to make for a smoother journey. If it took me 10 days to find the courage to start, it took me an hour to completely migrate every account. They are awesome.

Then came the DNS settings. I had already deployed NGINX, set up shop with my Node server and it was just a matter of switching the A address to my new server’s IP address. I don’t really know if this is standard procedure, but my website’s DNS server was on the cPanel service I wanted to cancel. I had to go to my domain settings (this time out of cPanel) and set the domain DNS server to be my host’s primary DNS server (different from the cPanel server). After that was done, several agonising hours passed until DNS magic happened and goncalotomas.com pointed to its new address.

There is still much to be done. Performance optimisations, custom 404 pages, add true Material Design looks, and there’s a good chance I’ll never be happy with what I have. But I’m glad I had the will and patience to learn about these security settings. 😴

Thanks for sticking with me ‘till the end. You’re either a loyal friend or clearly someone with nothing better to do. Either way, you’re awesome. Subscribe the RSS feed so you get notifications!


Categories:
Security
Tags:
Security

Open-source web-apps: should code be readily available? Open-source web-apps: should code be readily available? Open-source web-apps: should code be readily... Open-source web-apps: should code be...

Oldest