Default is 1024 and this is to low
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
cd /etc/ssl/certs openssl dhparam -out dhparam.pem 4096
added to your nginx.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Day: May 26, 2017
Ha Proxy sample config frontend ssl
You can use Haproxy for a frontend ssl
with redirect from port 80 to 443
here is a sample haproxy.cfg
global log 127.0.0.1 local0 log 127.0.0.1 local1 notice user haproxy group haproxy daemon stats socket /etc/haproxy/haproxysock level admin maxconn 16384 tune.ssl.default-dh-param 4096 defaults log global balance roundrobin mode http retries 3 option httplog option dontlognull maxconn 10240 timeout connect 5s timeout client 15s timeout server 60s backend my_frontend_pool option forwardfor server mylocalserver1.example.com 10.10.18.30:8080 weight 1 maxconn 512 check server mylocalserver2.example.com 10.10.18.40:8080 weight 1 maxconn 512 check server mylocalserver3.example.com 10.10.18.50:8080 weight 1 maxconn 512 check frontend mylocalfrontend.example.com bind 10.241.18.20:443 ssl crt /etc/ssl/myserver/wild.pem ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+RC4+SHA:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256:DHE+aRSA+AES128+SHA:RC4+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS no-sslv3 acl clear dst_port 80 acl secure dst_port 443 reqadd X-Forwarded-Proto:\ https if secure reqadd FRONT_END_HTTPS:\ on if secure default_backend my_frontend_pool listen my_statistics :60099 stats enable stats uri / stats refresh 15s
Varnish Example Config
This is for Version 4 i think it´s also work on Varnish 5
# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;
# Default backend definition. Set this to point to your content server.
backend default {
.host = "127.0.0.1";
.port = "8080";
}
acl purge {
"localhost";
"10.0.0.0"/8;
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
if (req.restarts == 0) {
if (req.http.X-Forwarded-For) {
set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
} else {
set req.http.X-Forwarded-For = client.ip;
}
}
if (req.method == "PURGE") {
if (!client.ip ~ purge) {
return(synth(405,"Request method not allowed."));
}
return (purge);
}
##pass a url not in cache
if (req.url ~ "^/admin/") {
return(pass);
}
if (req.method != "GET" &&
req.method != "HEAD" &&
req.method != "PUT" &&
req.method != "POST" &&
req.method != "TRACE" &&
req.method != "OPTIONS" &&
req.method != "PATCH" &&
req.method != "DELETE") {
return (pipe);
}
unset req.http.cookie;
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
if (req.http.Accept-Encoding) {
if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
unset req.http.Accept-Encoding;
}
}
return(hash);
}
sub vcl_hash {
hash_data(req.url);
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
if (req.http.accept-language) {
hash_data(req.http.accept-language);
}
if (req.http.Cookie) {
hash_data(req.http.Cookie);
}
}
sub vcl_miss {
return(fetch);
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
unset beresp.http.set-cookie;
### set varnish cache time ttl
if (beresp.ttl < 1d || beresp.http.Set-Cookie) {
set beresp.ttl = 1d;
unset beresp.http.Cache-Control;
return (deliver);
}
set beresp.grace = 1d;
return (deliver);
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
unset resp.http.X-Powered-By;
unset resp.http.Server;
unset resp.http.X-Drupal-Cache;
unset resp.http.X-Varnish;
unset resp.http.Via;
unset resp.http.Link;
return (deliver);
}
Konkretor Blog, IT Stuff and more 