Versions Compared

Version Old Version 4 New Version 5
Changes made by

Anthony Lau (Unlicensed)

Samuel Kirby

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Installing NGINX mainline

  1. Run sudo apt remove nginx to remove the current installation of NGINX while preserving the configuration files.Run sudo apt install curl gnupg2 ca-certificates lsb-release to install the prerequisites.

  2. Run the following to set up the repository for mainline packages:

    Code Block
    echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

  3. Run curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - to import an official NGINX signing key so apt can verify the package's authenticity.

  4. Run sudo apt-key fingerprint ABF5BD827BD9BF62 to verify you have the proper key.

  5. The output should contain the full fingerprint 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62.

  6. Run sudo apt update and sudo apt install nginx.

  7. Run sudo rm /etc/nginx/conf.d/default.conf to remove the default configuration.

  8. Run sudo vim /etc/nginx/nginx.conf and add include /etc/nginx/sites-enabled/*; below the line include /etc/nginx/conf.d/*.conf;.conf.d/phixflow.conf and paste in the following, replacing [subdomain] with the appropriate subdomain of the server:

    Code Block
    server {
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;

    server_name [subdomain].phixflow.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
    }

    ssl_certificate /etc/letsencrypt/live/[subdomain].phixflow.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/[subdomain].phixflow.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    client_max_body_size 40M;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
}

  9. Run sudo nginx -s reload.

  10. Run sudo service nginx stop.

  11. Run sudo service nginx start.

  12. Run netstat -tln to check the server is listening on port 443 rather than 80.

  13. Check the PhixFlow application loads in the browser. Check the security settings in the browser console.

  14. Run nginx -V to check the version.

...

  1. .

Configure SSL Cipher Restriction

This is based on recommendations given at: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations . Note that there is a scheduled audit to review these on a regular basis and update our build instructions to continue to comply with the recommendations.

Open the file at /etc/letsencrypt/options-ssl-nginx.conf. It should look similar to the following:

Code Block
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

Edit the ssl_protocols parameter to be:

Code Block
ssl_protocols TLSv1.3;

Edit the ssl_ciphers parameter to be:

Code Block
ssl_ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";

Close and save the file.

Run the following to reload the NGINX configuration:

Code Block
sudo nginx -s reload

Restart the NGINX service:

Code Block
sudo service nginx restart

Switching NGINX from stable branch to mainline

Info

This section should no longer be used, but has been retained for reference

  1. Run sudo apt remove nginx to remove the current installation of NGINX while preserving the configuration files.

  2. Run sudo apt install curl gnupg2 ca-certificates lsb-release to install the prerequisites.

  3. Run the following to set up the repository for mainline packages:

    Code Block
    echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

  4. Run curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - to import an official NGINX signing key so apt can verify the package's authenticity.

  5. Run sudo apt-key fingerprint ABF5BD827BD9BF62 to verify you have the proper key.

  6. The output should contain the full fingerprint 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62.

  7. Run sudo apt update and sudo apt install nginx.

  8. Run sudo rm /etc/nginx/conf.d/default.conf to remove the default configuration.

  9. _header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; }

    Run sudo vim /etc/nginx/confnginx.d/phixflow.conf and paste in the following, replacing [subdomain] with the appropriate subdomain of the server:

    Code Blockserver { listen 443 ssl; listen [::]:443 ssl ipv6only=on; server_name [subdomain].phixflow.com; location / { proxy_pass http://127.0.0.1:8080; } ssl_certificate /etc/letsencrypt/live/[subdomain].phixflow.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/[subdomain].phixflow.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; client_max_body_size 40M; add

    conf and add include /etc/nginx/sites-enabled/*; below the line include /etc/nginx/conf.d/*.conf;.

  10. Run sudo nginx -s reload.

  11. Run sudo service nginx stop.

  12. Run sudo service nginx start.

  13. Run netstat -tln to check the server is listening on port 443 rather than 80.

  14. Check the PhixFlow application loads in the browser. Check the security settings in the browser console.

  15. Run nginx -V to check the version.

...