Hello,
I’ve been doing some reading re securing Nginx servers and thought I’d share it with the community. I have noticed several weaknesses in the suggested configuration. The test by SSLabs gave me a low score. The following config gave me an A+ for the SSL test and no vulnerabilities by gixy. I’m using nginx v1.14.2 on Debian 10.
I’m using Collabora CODE instead of the docker, I added it to the config on the same domain. This way I only need one certificate. I enabled SSL termination in the loolwsd.xml config file of Collabora.
server {
client_max_body_size 200M;
server_name cells.mydomain.com;
#Security measure to stop clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN";
#Security measure, add HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
location / {
proxy_buffering off;
proxy_pass https://localhost:8080$request_uri;
proxy_pass_request_headers on;
#proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /ws {
proxy_buffering off;
proxy_pass https://localhost:8080;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
# static files
location ^~ /loleaflet {
proxy_pass http://localhost:9980;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://localhost:9980;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://localhost:9980;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/lool {
proxy_pass http://localhost:9980;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
error_log /var/log/nginx/cells-proxy-error.log;
access_log /var/log/nginx/cells-proxy-access.log;
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/cells.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cells.mydomain.com/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#Generated using openssl dhparam -out dhparam.pem 4096
#Fixes weak Diffie-Hellman keys
ssl_dhparam /etc/ssl/certs/dhparam.pem;
}
server {
if ($host = cells.mydomain.com) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name cells.mydomain.com;
return 404;
}
server {
listen 33060 ssl http2;
listen [::]:33060 ssl http2;
ssl_certificate /etc/letsencrypt/live/cells.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cells.mydomain.com/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
keepalive_timeout 600s;
location / {
grpc_pass grpcs://localhost:33060;
}
error_log /var/log/nginx/proxy-grpc-error.log;
access_log /var/log/nginx/proxy-grpc-access.log;
}
I followed quite a few articles and guides so I can’t credit them all, and fortunately Collabora has this useful page about configing nginx.
I hope it’ll be useful for someone