Configuring two-way SSL using Estonian EID smartcards in ... · -----END CERTIFICATE----- Copy file...

Ubuntu/Nginx SSL configuration Simple guidance, Estonian EID view

RIA EID Guidances https://www.ria.ee Page 1/18

Configuring two-way SSL using Estonian

EID smartcards in Ubuntu Nginx

webserver

Dokument information

Creation time 08.02.2019

Client RIA

Author Urmas Vanem, OctoX

Version 19.12/1

Version information

Date Version Changes/Notes

08.02.2019 19.02/1 Public version.

28.02.2019 19.02/2 Notes about client certificate revocation check. Default webpage removal. Changed by Urmas Vanem.

12.12.2019 19.12/1 Added recommendations for securing NGINX. Changed by Urmas Vanem.



Intro In this guide we describe:

• How to install and configure Nginx webserver in Ubuntu 18.04!?

• How to configure one-way SSL in Nginx.

• How to configure two-way SSL using Estonian EID cards.

In addition, we configure HTTP -> HTTPS redirection.

Nginx installation and configuration

Installation 1. Renew Ubuntu package data, in terminal run „sudo apt update“.

Picture 1 – renew Ubuntu packages data

2. Installeerime Nginx serveri käsuga „sudo apt install nginx“.

Picture 2 - Nginx installation



Configuring server block with one-way SSL

Certificates configuration Now we create certificate signing request and private key, in terminal run „openssl req -newkey

rsa:2048 -keyout OctoXPrivKey11.key -sha256 -subj "/CN=Nginx1.kaheksa.xi" -reqexts SAN -config

<(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS: Nginx1.kaheksa.xi,DNS:

Nginx2.kaheksa.xi ")) -out OctoX11.csr -nodes“.

Picture 3 - generating private key and certificate signing request

Notes about variables with yellow background:

1. OctoXPrivKey11.key is certificate private key.

2. Octox11.csr is certificate service request.

3. Nginx1.kaheksa.xi is a subject name for certificate.

4. Nginx1.kaheksa.xi and Nginx2.kaheksa.xi are certificate SAN DNS names. These names must

correspond to real website names1. And naturally the names must be resolvable in name

services.

Contents on certificate signing request file can be viewed by running „openssl req -in OctoX11.csr

-noout -text“ in terminal.

1 For example Google Chrome does not trust sites where at least one SAN DNS name is not equal to website DNS name.



Picture 4 - certificate signing request includes request for two SAN DNS n ames

Certificate signing request file OctoX11.csr should be sent to certificate signer (in our demo

environment it is just one test CA). As a response we get signed certificate in Base-64 encoded format

that should look like the following picture:



Picture 5 - signed certificate in text redactor

In Ubuntu the certificate looks like the following picture:

Picture 6 - certificate in Ubuntu

The certificate also includes alternative SAN DNS names:



Picture 7 - SAN DNS names

Save new certificate to user home folder in Ubuntu as OctoX11.pem.

As we can see, certificate issuer is „OctoX Root CA“. Now we must get our issuer CA certificate in

Base-64 encoded format and save it to user home folder in Ubuntu as OctoX_RCA.pem.

Nginx does not have option for describing chain certificates, all necessary certificates must be

consolidated into one file. First certificate in the file must respond to our private key, which is web

server SSL certificate in our case. So let’s put together certificates OctoX11.pem and „OctoX Root CA“

and save the file as Bundle1.pem. We can use any text redactor to do it or run in terminal „cat

OctoX11.pem OctoX_Root.pem > Bundle1.pem“.

Picture 8 – consolidating certificates to file Bundle1.pem

In Ubuntu the file like the following picture:

Picture 9 – certificates are consolidated to Bundle1.pem

Let’s put the bundled file into correct location by running “sudo cp Bundle1.pem

/etc/ssl/certs/Bundle1.pem“ in terminal.



Picture 10 - copying bundled file to certificates container

In addition, we must correctly install private key. Private key must be in folder /etc/ssl/private.

Picture 11 – copying private key

Now we have correctly installed all certificates and private key needed by Nginx for one-way SSL.

Creating server block (virtual website) For SSL configuration demonstration we create separate virtual website (or server block as it is named

in Nginx). At first, we create home folder for our website /var/www/Nginx1.

Picture 12 – creating root folder for website

Then, for testing purposes, we put a simple webpage named index.html in the folder. In our example

file /var/www/html/index.nginx-debian.html is copied to our new folder as index.html. Then minor

modifications are made in its’ heading or title to understand later it is our website. In our case we

change title and heading.

Then we prepare virtual site configuration file, in terminal run „sudo nano /etc/nginx/sites-

available/Nginx1.conf“.

Picture 13 – creating new virtual website configuration file

Now we paste the following configuration in it:

# Beginning of file

server {

listen 80;



listen [::]:80;

server_name nginx1.kaheksa.xi;

return 301 https://nginx1.kaheksa.xi;

}

server {

listen 80;

listen [::]:80;

server_name nginx2.kaheksa.xi;

return 301 https://nginx2.kaheksa.xi;

}

server{

# SSL configuration

listen 443 ssl;

listen [::]:443 ssl;

root /var/www/Nginx1;

index index.html;

server_name nginx1.kaheksa.xi nginx2.kaheksa.xi;

# Certificates

ssl_certificate /etc/ssl/certs/Bundle1.pem;

ssl_certificate_key /etc/ssl/private/OctoXPrivKey11.key;

location / {

try_files $uri $uri/ =404;

}

}

# End of file

The new configuration should be activated by running „sudo ln -s /etc/nginx/sites-

available/Nginx1.conf /etc/nginx/sites-enabled/“ in terminal. Then restart Nginx service.



Picture 14 - activating new server block and restarting Nginx

Result Now we configured our new website to use one-way SSL and all HTTP requests to our site are

redirected to HTTPS. Address http://Nginx1.kaheksa.xi will be redirected to https://Nginx1.kaheksa.xi

and address http://Nginx2.kaheksa.xi will be redirected to https://Nginx2.kaheksa.xi.

Picture 15 - Nginx web server is working and using one-way SSL!

Note. We can create multiple similar websites to Nginx server.

Requiring two-way SSL If we want to require strong Estonian EID client certificate-based authentication, we must update our

configuration by adding following lines to our site configuration file Nginx1.conf:

• ssl_client_certificate /etc/ssl/certs/EID_Bundle.pem;

• ssl_verify_client on;

• ssl_verify_depth 2;

Picture 16 - updated configuration file, SSL section



Now we create new text file named EID_Bundle.pem, which includes all active Estonian EID root- and

intermediate certificates (EE-GovCA2018, ESTEID2018, EE Certification Centre Root CA, ESTEID-SK

2015) in Base-64 encrypted format. With this file we can filter out all client certificates supported by

Nginx web services (in other words, on client side only these client certificates are available, which are

issued by CA-s/chains listed in our file). File contents in text redactor should look like following text

block:

-----BEGIN CERTIFICATE-----

MIIE+DCCBFmgAwIBAgIQMLOwlXoR0oFbj52nmRsnezAKBggqhkjOPQQDBDBaMQsw

CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh

DA5OVFJFRS0xMDc0NzAxMzEVMBMGA1UEAwwMRUUtR292Q0EyMDE4MB4XDTE4MDkw

NTA5MTEwM1oXDTMzMDkwNTA5MTEwM1owWjELMAkGA1UEBhMCRUUxGzAZBgNVBAoM

ElNLIElEIFNvbHV0aW9ucyBBUzEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFTAT

BgNVBAMMDEVFLUdvdkNBMjAxODCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAMcb

/dmAcVo/b2azEPS6CfW7fEA2KuHKC53D7ShVNvLz4QUjCdTXjds/4u99jUoYEQec

luVVzMlgEJR1nkN2eOrLAZYxPjwG5HiI1iZEyW9QKVdeEgyvhzWWTNHGjV3HdZRv

7L9o4533PtJAyqJq9OTs6mjsqwFXjH49bfZ6CGmzUJsHo4ICvDCCArgwEgYDVR0T

AQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwNAYDVR0lAQH/BCowKAYIKwYB

BQUHAwkGCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwEwHQYDVR0OBBYEFH4p

Vuc0knhOd+FvLjMqmHHB/TSfMB8GA1UdIwQYMBaAFH4pVuc0knhOd+FvLjMqmHHB

/TSfMIICAAYDVR0gBIIB9zCCAfMwCAYGBACPegECMAkGBwQAi+xAAQIwMgYLKwYB

BAGDkSEBAQEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93d3cuc2suZWUvQ1BTMA0G

CysGAQQBg5EhAQECMA0GCysGAQQBg5F/AQEBMA0GCysGAQQBg5EhAQEFMA0GCysG

AQQBg5EhAQEGMA0GCysGAQQBg5EhAQEHMA0GCysGAQQBg5EhAQEDMA0GCysGAQQB

g5EhAQEEMA0GCysGAQQBg5EhAQEIMA0GCysGAQQBg5EhAQEJMA0GCysGAQQBg5Eh

AQEKMA0GCysGAQQBg5EhAQELMA0GCysGAQQBg5EhAQEMMA0GCysGAQQBg5EhAQEN

MA0GCysGAQQBg5EhAQEOMA0GCysGAQQBg5EhAQEPMA0GCysGAQQBg5EhAQEQMA0G

CysGAQQBg5EhAQERMA0GCysGAQQBg5EhAQESMA0GCysGAQQBg5EhAQETMA0GCysG

AQQBg5EhAQEUMA0GCysGAQQBg5F/AQECMA0GCysGAQQBg5F/AQEDMA0GCysGAQQB

g5F/AQEEMA0GCysGAQQBg5F/AQEFMA0GCysGAQQBg5F/AQEGMDEGCisGAQQBg5Eh

CgEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93d3cuc2suZWUvQ1BTMBgGCCsGAQUF



BwEDBAwwCjAIBgYEAI5GAQEwCgYIKoZIzj0EAwQDgYwAMIGIAkIBk698EqetY9Tt

6HwO50CfzdIIjKmlfCI34xKdU7J+wz1tNVu2tHJwEhdsH0e92i969sRDp1RNPlVh

4XFJzI3oQFQCQgGVxmcuVnsy7NUscDZ0erwovmbFOsNxELCANxNSWx5xMqzEIhV8

46opxu10UFDIBBPzkbBenL4h+g/WU7lG78fIhA==

-----END CERTIFICATE-----


MIIFVzCCBLigAwIBAgIQdUf6rBR0S4tbo2bU/mZV7TAKBggqhkjOPQQDBDBaMQsw

CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh

DA5OVFJFRS0xMDc0NzAxMzEVMBMGA1UEAwwMRUUtR292Q0EyMDE4MB4XDTE4MDky

MDA5MjIyOFoXDTMzMDkwNTA5MTEwM1owWDELMAkGA1UEBhMCRUUxGzAZBgNVBAoM

ElNLIElEIFNvbHV0aW9ucyBBUzEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxEzAR

BgNVBAMMCkVTVEVJRDIwMTgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAHHOBlv

7UrRPYP1yHhOb7RA/YBDbtgynSVMqYdxnFrKHUXh6tFkghvHuA1k2DSom1hE5kqh

B5VspDembwWDJBOQWQGOI/0t3EtccLYjeM7F9xOPdzUbZaIbpNRHpQgVBpFX0xpL

TgW27MpIMhU8DHBWFpeAaNX3eUpD4gC5cvhsK0RFEqOCAx0wggMZMB8GA1UdIwQY

MBaAFH4pVuc0knhOd+FvLjMqmHHB/TSfMB0GA1UdDgQWBBTZrHDbX36+lPig5L5H

otA0rZoqEjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADCCAc0G

A1UdIASCAcQwggHAMAgGBgQAj3oBAjAJBgcEAIvsQAECMDIGCysGAQQBg5EhAQEB

MCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzANBgsrBgEEAYOR

IQEBAjANBgsrBgEEAYORfwEBATANBgsrBgEEAYORIQEBBTANBgsrBgEEAYORIQEB

BjANBgsrBgEEAYORIQEBBzANBgsrBgEEAYORIQEBAzANBgsrBgEEAYORIQEBBDAN

BgsrBgEEAYORIQEBCDANBgsrBgEEAYORIQEBCTANBgsrBgEEAYORIQEBCjANBgsr

BgEEAYORIQEBCzANBgsrBgEEAYORIQEBDDANBgsrBgEEAYORIQEBDTANBgsrBgEE

AYORIQEBDjANBgsrBgEEAYORIQEBDzANBgsrBgEEAYORIQEBEDANBgsrBgEEAYOR

IQEBETANBgsrBgEEAYORIQEBEjANBgsrBgEEAYORIQEBEzANBgsrBgEEAYORIQEB

FDANBgsrBgEEAYORfwEBAjANBgsrBgEEAYORfwEBAzANBgsrBgEEAYORfwEBBDAN

BgsrBgEEAYORfwEBBTANBgsrBgEEAYORfwEBBjAqBgNVHSUBAf8EIDAeBggrBgEF



BQcDCQYIKwYBBQUHAwIGCCsGAQUFBwMEMGoGCCsGAQUFBwEBBF4wXDApBggrBgEF

BQcwAYYdaHR0cDovL2FpYS5zay5lZS9lZS1nb3ZjYTIwMTgwLwYIKwYBBQUHMAKG

I2h0dHA6Ly9jLnNrLmVlL0VFLUdvdkNBMjAxOC5kZXIuY3J0MBgGCCsGAQUFBwED

BAwwCjAIBgYEAI5GAQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL2Muc2suZWUv

RUUtR292Q0EyMDE4LmNybDAKBggqhkjOPQQDBAOBjAAwgYgCQgDeuUY4HczUbFKS

002HZ88gclgYdztHqglENyTMtXE6dMBRnCbgUmhBCAA0mJSHbyFJ8W9ikLiSyurm

kJM0hDE9KgJCASOqA405Ia5nKjTJPNsHQlMi7KZsIcTHOoBccx+54N8ZX1MgBozJ

mT59rZY/2/OeE163BAwD0UdUQAnMPP6+W3Vd



MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1

MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1

czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG

CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy

MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl

ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS

b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB

AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy

euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO

bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw

WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d

MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE

1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD

VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/

zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB

BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF

BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV



v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG

E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u

uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW

iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v

GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=



MIIGcDCCBVigAwIBAgIQRUgJC4ec7yFWcqzT3mwbWzANBgkqhkiG9w0BAQwFADB1

MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1

czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG

CSqGSIb3DQEJARYJcGtpQHNrLmVlMCAXDTE1MTIxNzEyMzg0M1oYDzIwMzAxMjE3

MjM1OTU5WjBjMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVy

aW1pc2tlc2t1czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMMDkVT

VEVJRC1TSyAyMDE1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oH6

1NDxbdW9k8nLA1qGaL4B7vydod2Ewp/STBZB3wEtIJCLdkpEsS8pXfFiRqwDVsgG

Gbu+Q99trlb5LI7yi7rIkRov5NftBdSNPSU5rAhYPQhvZZQgOwRaHa5Ey+BaLJHm

LqYQS9hQvQsCYyws+xVvNFUpK0pGD64iycqdMuBl/nWq3fLuZppwBh0VFltm4nhr

/1S0R9TRJpqFUGbGr4OK/DwebQ5PjhdS40gCUNwmC7fPQ4vIH+x+TCk2aG+u3MoA

z0IrpVWqiwzG/vxreuPPAkgXeFCeYf6fXLsGz4WivsZFbph2pMjELu6sltlBXfAG

3fGv43t91VXicyzR/eT5dsB+zFsW1sHV+1ONPr+qzgDxCH2cmuqoZNfIIq+buob3

eA8ee+XpJKJQr+1qGrmhggjvAhc7m6cU4x/QfxwRYhIVNhJf+sKVThkQhbJ9XxuK

k3c18wymwL1mpDD0PIGJqlssMeiuJ4IzagFbgESGNDUd4icm0hQT8CmQeUm1GbWe

BYseqPhMQX97QFBLXJLVy2SCyoAz7Bq1qA43++EcibN+yBc1nQs2Zoq8ck9MK0bC

xDMeUkQUz6VeQGp69ImOQrsw46qTz0mtdQrMSbnkXCuLan5dPm284J9HmaqiYi6j

6KLcZ2NkUnDQFesBVlMEm+fHa2iR6lnAFYZ06UECAwEAAaOCAgowggIGMB8GA1Ud

IwQYMBaAFBLyWj7qVhy/zQas8fElyalL1BSZMB0GA1UdDgQWBBSzq4i8mdVipIUq

CM20HXI7g3JHUTAOBgNVHQ8BAf8EBAMCAQYwdwYDVR0gBHAwbjAIBgYEAI96AQIw



CQYHBACL7EABAjAwBgkrBgEEAc4fAQEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93

d3cuc2suZWUvQ1BTMAsGCSsGAQQBzh8BAjALBgkrBgEEAc4fAQMwCwYJKwYBBAHO

HwEEMBIGA1UdEwEB/wQIMAYBAf8CAQAwQQYDVR0eBDowOKE2MASCAiIiMAqHCAAA

AAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCcGA1Ud

JQQgMB4GCCsGAQUFBwMJBggrBgEFBQcDAgYIKwYBBQUHAwQwfAYIKwYBBQUHAQEE

cDBuMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcC5zay5lZS9DQTBKBggrBgEFBQcw

AoY+aHR0cDovL3d3dy5zay5lZS9jZXJ0cy9FRV9DZXJ0aWZpY2F0aW9uX0NlbnRy

ZV9Sb290X0NBLmRlci5jcnQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL3d3dy5z

ay5lZS9yZXBvc2l0b3J5L2NybHMvZWVjY3JjYS5jcmwwDQYJKoZIhvcNAQEMBQAD

ggEBAHRWDGI3P00r2sOnlvLHKk9eE7X93eT+4e5TeaQsOpE5zQRUTtshxN8Bnx2T

oQ9rgi18q+MwXm2f0mrGakYYG0bix7ZgDQvCMD/kuRYmwLGdfsTXwh8KuL6uSHF+

U/ZTss6qG7mxCHG9YvebkN5Yj/rYRvZ9/uJ9rieByxw4wo7b19p22PXkAkXP5y3+

qK/Oet98lqwI97kJhiS2zxFYRk+dXbazmoVHnozYKmsZaSUvoYNNH19tpS7BLdsg

i9KpbvQLb5ywIMq9ut3+b2Xvzq8yzmHMFtLIJ6Afu1jJpqD82BUAFcvi5vhnP8M7

b974R18WCOpgNQvXDI+2/8ZINeU=


Copy file EID_Bundle.pem to folder etc/ssl/certs and restart Nginx webserver, in terminal run „sudo

systemctl restart nginx.service“.

After accessing website Nginx1.kaheksa.xi or Nginx2.kaheksa.xi now, client certificate is required.



Picture 17 - client certificate request

After confirming the certificate and entering PIN we can access the website! Two-way SSL works. Good

luck!

Additional configuration options The purpose of this document is not to give exact guidance’s how to optimize or protect websites. The

main purpose is to show how is possible to configure two-way SSL and use Estonian EID cards for

authentication. However, in following section we pay attention on some options which can be useful.

Firewall rules, on demand By default, firewall is switched off on Ubuntu. But if it is on, we need to create some rules for accessing

websites on server. There are three options:

1. Nginx Full - enables ports 80 ja 443

2. Nginx HTTP – enables port 80

3. Nginx HTTPS – enables port 443

For creating firewall rule, run in terminal „sudo ufw allow ’RULE’“. For example enabling HTTPS traffic

only, run „sudo ufw allow ’Nginx HTTPS’“.

Picture 18 - Creating Nginx https rules

If firewall is active running command „sudo ufw status“ in terminal shows us active rules.



Picture 19 – firewall is active and HTTPS is enabled

Client certificate revocation check By default, configuration described above allows access to Nginx website for all users with certificates

valid in action time. Certificate revocation status is not checked! Unfortunately, Nginx does not support

client certificate revocation checking against OCSP. It is possible to use CRL-s for client certificate

revocation checking:

• Download all related CRL-s;

• Converted downloaded CRL-s to Base-64 encoded format;

• Create bundled file from all CRL-s and related certificates;

• Define bundled file as value for ssl_crl setting on Nginx configuration.

Please remember here, that CRL-s renewal period for EID cards is 12 hours, so it is not very simple to

keep those CRL-s up to date all the time!2

Using CRL-s is not preferred method today and that’s the reason we don’t stop on this configuration

deeply. If certificate revocation check is needed, it should be done inside web application against OCSP

service if possible.

Default webpage removal After Nginx installation we have also default website installed. To remove default website run

command „sudo rm /etc/nginx/sites-enabled/default“ in terminal.

Picture 20 - default website removal

Then restart Nginx services with command „systemctl reload nginx“ in terminal.

2 Of course, we can create scheduled script to do it all, but it still looks like workaround what needs monitoring and maintenance etc.



Recommended security settings for NGINX

SSL/TLS In NGINX version 1.14.0 TLS versions 1.0, 1.1 and 1.2 are enabled by default. Older SSL versions are

disabled.

In our days there is probably no need to use SSL/TLS protocols with version lower than TLS 1.2

anymore. TLS 1.2 should be lowest version; it is widely used and very stable! But TLS 1.3 can also be

enabled to allow optimized and modern TLS traffic.

To configure Nginx to support only TLS protocol versions 1.2 and 1.3, we must add following line to

Nginx configuration file: “ssl_protocols TLSv1.2 TLSv1.3;”

Picture 21 – determine available TLS versions in NGINX configuration file

If we want to make the change on server level, we must modify parameter ssl_protocols in the file

/etc/nginx/nginx.conf.

Cipher suites There are many different TLS 1.2 cipher suites available with Nginx version 1.14.0.3 We can list available

cipher suites in Apache with command „openssl ciphers -v“.

By default, all available cipher suites are enabled, nothing is filtered out using configuration files.

Default configuration can be good enough, it does not contain non-secure cipher suites. There are

some published cipher suites marked as WEAK, but probably we need some of those ciphers to support

older clients.

But if we want to configure cipher suites for any reason, we can use command line ssl_ciphers in Nginx

configuration file. Here we can use predefined aliases or exact cipher suite descriptions.

It is impossible to give exact recommendation for configuring cipher suites because different

environments have different requirements. And requirements and possibilities are changing in time.

The only recommendation we can give here is to remove non-secure ciphers from list if any exists.

Examples:

• Using following command line in configuration file: ‘ssl_ciphers ECDHE-RSA-AES256-GCM-

SHA384:ECDHE-RSA-AES128-GCM-SHA256;’ – we allow only two safe cipher suites. Some older

clients may not be compatible with this configuration.

• Using following command line in configuration file: ’ssl_ciphers EECDH+ECDSA+AESGCM

EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH:RC4:!aNULL:!eNULL:!LOW:!3DES:!M

3 We handle only TLS 1.2 ciphers in this chapter, because lower protocols should be disabled and everything is OK with TLS version 1.3 today.



D5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA256:!CAMELLIA128;’ – we create another configuration

with pretty limited set of ciphers suites, which probably supports most of clients.

Please do not take samples above as recommendation. It is just an example! Configure cipher suites

only when you are sure what you are doing. Goals can be: disabling non-secure cipher suites or

optimizing configuration by moving faster secure ciphers to the top of the list or any other.

You can also configure cipher suites on server level by modifying parameter ssl_ciphers in file

/etc/nginx/nginx.conf.

More information about different options for configuring cipher suites can be found from article

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

ssl_prefer_server_ciphers Preferring server ciphers over client ciphers is enabled by default on server level in Nginx, parameter

ssl_prefer_server_ciphers is ON in default configuration file /etc/nginx/nginx.conf.

Additional possibilities In addition to TLS and cipher suite configuration there are many other things we can do to secure our

server:

• Keep operating system up to date.

• Keep Apache up to date.

• Disable presenting server information.

• Disable HTTP requests.

• Install and Configure Naxsi.

• Monitoring with Monit.

• Enable X-XSS Protection.

• …

Please take the list above as short demo recommendations list. Of course, it makes sense to follow the

recommendations, but there can be much more you can do to secure your server:

https://www.google.com/search?q=how+to+secure+nginx+server.

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

https://www.google.com/search?q=how+to+secure+nginx+server

Date post:	09-Jul-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Configuring two-way SSL using Estonian EID smartcards in ... · -----END CERTIFICATE----- Copy file...

Documents