Dont use the $host variable in NGINX, it's user supplied data (HOST header)
authorChristian Mehlmauer <firefart@gmail.com>
Mon, 30 Mar 2015 15:12:23 +0000 (17:12 +0200)
committerChristian Mehlmauer <firefart@gmail.com>
Mon, 30 Mar 2015 15:12:23 +0000 (17:12 +0200)
src/configuration/Webservers/nginx/default-hsts
src/practical_settings/webserver.tex

index a50136c..befa886 100644 (file)
@@ -26,7 +26,7 @@ server {
 
        # Make site accessible from http://localhost/
        server_name localhost;
-       return 301 https://$host$request_uri;
+       return 301 https://www.domain.com$request_uri;
 }
 
 
index 1f6494f..2449577 100644 (file)
@@ -1,4 +1,4 @@
-%%---------------------------------------------------------------------- 
+%%----------------------------------------------------------------------
 \subsection{Apache}
 
 Note that any cipher suite starting with EECDH can be omitted, if in doubt.
@@ -34,7 +34,7 @@ you can do this with the following setting inside of a VirtualHost environment:
 See appendix \ref{cha:tools}
 
 
-%%---------------------------------------------------------------------- 
+%%----------------------------------------------------------------------
 \subsection{lighttpd}
 
 \subsubsection{Tested with Versions}
@@ -64,7 +64,7 @@ that HTTPS is in use.
 
 \configfile{11-hsts.conf}{}{https auto-redirect configuration}
 
-\subsubsection{Additional information} 
+\subsubsection{Additional information}
 The config option \emph{honor-cipher-order} is available since 1.4.30, the
 supported ciphers depend on the used OpenSSL-version (at runtime). ECDHE has to
 be available in OpenSSL at compile-time, which should be default. SSL
@@ -75,7 +75,7 @@ Support for other SSL-libraries like GnuTLS will be available in the upcoming
 2.x branch, which is currently under development.
 
 
-\subsubsection{References} 
+\subsubsection{References}
 \begin{itemize*}
   \item HTTPS redirection: \url{http://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps}
   \item Lighttpd Docs SSL: \url{http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs\_SSL}
@@ -84,19 +84,20 @@ Support for other SSL-libraries like GnuTLS will be available in the upcoming
 \end{itemize*}
 
 
-\subsubsection{How to test} 
+\subsubsection{How to test}
 See appendix \ref{cha:tools}
 
 
-%%---------------------------------------------------------------------- 
+%%----------------------------------------------------------------------
 \subsection{nginx}
 
-\subsubsection{Tested with Version} 
+\subsubsection{Tested with Version}
 \begin{itemize*}
   \item 1.4.4 with OpenSSL 1.0.1e on OS X Server 10.8.5
   \item 1.2.1-2.2+wheezy2 with OpenSSL 1.0.1e on Debian Wheezy
   \item 1.4.4 with OpenSSL 1.0.1e on Debian Wheezy
   \item 1.2.1-2.2~bpo60+2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
+  \item 1.4.6 with OpenSSL 1.0.1f on Ubuntu 14.04.2 LTS
 \end{itemize*}
 
 
@@ -115,11 +116,11 @@ If you decide to trust NIST's ECC curve recommendation, you can add the followin
 
 \configfile{default-ec}{119-119}{SSL EC/DH settings for nginx}
 
-You might want to redirect everything to \emph{https://} if possible. In Nginx you can do this with the following setting:
+You might want to redirect everything to \emph{https://} if possible. In Nginx you can do this with the following setting (replace www.domain.com with your domain):
 
 \configfile{default-hsts}{29-29}{https auto-redirect in nginx}
 
-\subsubsection{References} 
+\subsubsection{References}
 \begin{itemize*}
   \item \url{http://nginx.org/en/docs/http/ngx_http_ssl_module.html}
   \item \url{http://wiki.nginx.org/HttpSslModule}
@@ -129,7 +130,7 @@ You might want to redirect everything to \emph{https://} if possible. In Nginx y
 See appendix \ref{cha:tools}
 
 
-%%---------------------------------------------------------------------- 
+%%----------------------------------------------------------------------
 \subsection{Cherokee}
 
 \subsubsection{Tested with Version}
@@ -220,15 +221,15 @@ Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2). For detailed
 information about the older versions see the Microsoft knowledgebase
 article. \footnote{\url{http://support.microsoft.com/kb/245030/en-us}}
 \begin{lstlisting}[breaklines]
-  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel] 
-  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers] 
-  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites] 
-  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes] 
-  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms] 
-  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols] 
+  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
+  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers]
+  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites]
+  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes]
+  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms]
+  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]
 \end{lstlisting}
 
-\subsubsection{Tested with Version} 
+\subsubsection{Tested with Version}
 \begin{itemize*}
   \item Windows Server 2008
   \item Windows Server 2008 R2
@@ -262,7 +263,7 @@ of the following ways:
   \item Group Policy \footnote{\url{http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx}}
   \item Registry  \footnote{\url{http://support.microsoft.com/kb/245030 }}
   \item IIS Crypto~\footnote{\url{https://www.nartac.com/Products/IISCrypto/}}
-  \item Powershell 
+  \item Powershell
 \end{enumerate}
 
 
@@ -309,7 +310,7 @@ Clients not supported:
 
 \subsubsection{Additional settings}
 %Here you can add additional settings
-It's recommended to use Strict-Transport-Security: max-age=15768000 
+It's recommended to use Strict-Transport-Security: max-age=15768000
 for detailed information visit the
 \footnote{\url{http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders}}
 Microsoft knowledgebase.
@@ -338,9 +339,9 @@ Set-WebConfiguration -Location "$WebSiteName/$WebApplicationName" `
 \subsubsection{How to test}
 See appendix \ref{cha:tools}
 
-%%---------------------------------------------------------------------- 
+%%----------------------------------------------------------------------
 
-%%% Local Variables: 
+%%% Local Variables:
 %%% mode: latex
 %%% TeX-master: "../applied-crypto-hardening"
-%%% End: 
+%%% End: