Skip to content

Instantly share code, notes, and snippets.

@clemlatz
Last active December 23, 2022 10:43

Revisions

  1. clemlatz revised this gist Apr 14, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion setup.sh
    Original file line number Diff line number Diff line change
    @@ -16,7 +16,7 @@ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
    sudo /opt/letsencrypt/letsencrypt-auto --help all

    # Stop nginx (port 80 needed by letsencrypt)
    sudo nginx service stop
    sudo service nginx stop

    # Generate certificate
    sudo /opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096
  2. clemlatz revised this gist Apr 7, 2016. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions setup.sh
    Original file line number Diff line number Diff line change
    @@ -13,13 +13,13 @@ sudo apt-get install git -y
    sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

    # Install letsencrypt dependencies
    sudo /opt/letsencrypt-auto --help all
    sudo /opt/letsencrypt/letsencrypt-auto --help all

    # Stop nginx (port 80 needed by letsencrypt)
    sudo nginx service stop

    # Generate certificate
    sudo /opt/letsencrypt-auto certonly --rsa-key-size 4096
    sudo /opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096

    # Generate a strong Diffie-Hellman (2048-bit) group
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  3. clemlatz revised this gist Mar 26, 2016. 2 changed files with 11 additions and 45 deletions.
    40 changes: 0 additions & 40 deletions iptables.rules
    Original file line number Diff line number Diff line change
    @@ -1,40 +0,0 @@
    # https://wiki.debian.org/iptables

    *filter

    # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

    # Accepts all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allows all outbound traffic
    # You could modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT

    # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT

    # Allows SSH connections
    # The --dport number is the same as in /etc/ssh/sshd_config
    -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

    # Now you should read up on iptables rules and consider whether ssh access
    # for everyone is really desired. Most likely you will only allow access from certain IPs.

    # Allow ping
    # note that blocking other types of icmp packets is considered a bad idea by some
    # remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
    # https://security.stackexchange.com/questions/22711
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

    # log iptables denied calls (access via 'dmesg' command)
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

    # Reject all other inbound - default deny unless explicitly allowed policy:
    -A INPUT -j REJECT
    -A FORWARD -j REJECT

    COMMIT
    16 changes: 11 additions & 5 deletions setup.sh
    Original file line number Diff line number Diff line change
    @@ -33,11 +33,17 @@ sudo service nginx start

    # Test SSL config with https://www.ssllabs.com/ssltest/

    # Configure iptables (see iptables.rules) & persist rules
    sudo vim /etc/iptables.test.rules
    sudo iptables-restore < /etc/iptables.test.rules
    sudo iptables -L
    sudo apt-get install iptables-persistent -y
    # Install firewall (ufw)
    sudo apt-get install ufw -y

    # Open SSH, HTTP & HTTPS ports
    sudo ufw allow ssh
    sudo ufw allow http
    sudo ufw allow https

    # Enable ufw
    sudo ufw enable
    sudo ufw status

    # Configure SSL certificate renew with letsencrypt & cron
    # /opt/letsencrypt/letsencrypt-auto renew
  4. clemlatz revised this gist Mar 26, 2016. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion setup.sh
    Original file line number Diff line number Diff line change
    @@ -25,7 +25,8 @@ sudo /opt/letsencrypt-auto certonly --rsa-key-size 4096
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    # Config nginx to use certificate (see nginx-config.conf)
    sudo vim /etc/nginx/sites-available/default
    sudo vim /etc/nginx/sites-available/secure.example.com
    sudo ln -s /etc/nginx/sites-available/secure.example.com /etc/nginx/sites-enabled/secure.example.com

    # Restart nginx
    sudo service nginx start
  5. clemlatz revised this gist Mar 23, 2016. No changes.
  6. clemlatz revised this gist Mar 22, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-config.conf
    Original file line number Diff line number Diff line change
    @@ -2,7 +2,7 @@
    server {
    listen 443 ssl;

    server_name secure.axys.me;
    server_name secure.example.com;

    ssl_certificate /etc/letsencrypt/live/secure.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/secure.example.com/privkey.pem;
  7. clemlatz revised this gist Mar 22, 2016. 1 changed file with 12 additions and 2 deletions.
    14 changes: 12 additions & 2 deletions setup.sh
    Original file line number Diff line number Diff line change
    @@ -32,10 +32,20 @@ sudo service nginx start

    # Test SSL config with https://www.ssllabs.com/ssltest/

    # Configure iptables (see iptables.rules)
    # Configure iptables (see iptables.rules) & persist rules
    sudo vim /etc/iptables.test.rules
    sudo iptables-restore < /etc/iptables.test.rules
    sudo iptables -L
    sudo apt-get install iptables-persistent -y

    # TODO auto renew
    # Configure SSL certificate renew with letsencrypt & cron
    # /opt/letsencrypt/letsencrypt-auto renew
    sudo crontab -e

    # Add to crontab (to auto renew certs every monday)
    # 30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
    # 35 2 * * 1 /etc/init.d/nginx reload

    # Sources
    # - https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
    # - https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins
  8. clemlatz revised this gist Mar 22, 2016. 2 changed files with 3 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions iptables.rules
    Original file line number Diff line number Diff line change
    @@ -1,3 +1,5 @@
    # https://wiki.debian.org/iptables

    *filter

    # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    1 change: 1 addition & 0 deletions setup.sh
    Original file line number Diff line number Diff line change
    @@ -36,5 +36,6 @@ sudo service nginx start
    sudo vim /etc/iptables.test.rules
    sudo iptables-restore < /etc/iptables.test.rules
    sudo iptables -L
    sudo apt-get install iptables-persistent -y

    # TODO auto renew
  9. clemlatz revised this gist Mar 22, 2016. 2 changed files with 52 additions and 6 deletions.
    38 changes: 38 additions & 0 deletions iptables.rules
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,38 @@
    *filter

    # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

    # Accepts all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allows all outbound traffic
    # You could modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT

    # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT

    # Allows SSH connections
    # The --dport number is the same as in /etc/ssh/sshd_config
    -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

    # Now you should read up on iptables rules and consider whether ssh access
    # for everyone is really desired. Most likely you will only allow access from certain IPs.

    # Allow ping
    # note that blocking other types of icmp packets is considered a bad idea by some
    # remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
    # https://security.stackexchange.com/questions/22711
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

    # log iptables denied calls (access via 'dmesg' command)
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

    # Reject all other inbound - default deny unless explicitly allowed policy:
    -A INPUT -j REJECT
    -A FORWARD -j REJECT

    COMMIT
    20 changes: 14 additions & 6 deletions setup.sh
    Original file line number Diff line number Diff line change
    @@ -10,23 +10,31 @@ sudo service nginx start
    sudo apt-get install git -y

    # Install letsencrypt
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

    # Install letsencrypt dependencies
    ./letsencrypt-auto --help all
    sudo /opt/letsencrypt-auto --help all

    # Stop nginx (port 80 needed by letsencrypt)
    sudo nginx service stop

    # Generate certificate
    ./letsencrypt-auto certonly --rsa-key-size 4096
    sudo /opt/letsencrypt-auto certonly --rsa-key-size 4096

    # Generate a strong Diffie-Hellman (2048-bit) group
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    # Config nginx to use certificate (see nginx-config.conf)
    sudo vim /etc/nginx/sites-available/default

    # Reload nginx
    sudo service nginx reload
    # Restart nginx
    sudo service nginx start

    # Test SSL config with https://www.ssllabs.com/ssltest/

    # Configure iptables (see iptables.rules)
    sudo vim /etc/iptables.test.rules
    sudo iptables-restore < /etc/iptables.test.rules
    sudo iptables -L

    # TODO auto renew
  10. clemlatz revised this gist Mar 22, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-config.conf
    Original file line number Diff line number Diff line change
    @@ -2,7 +2,7 @@
    server {
    listen 443 ssl;

    server_name secure.example.com;
    server_name secure.axys.me;

    ssl_certificate /etc/letsencrypt/live/secure.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/secure.example.com/privkey.pem;
  11. clemlatz revised this gist Mar 22, 2016. 1 changed file with 1 addition and 9 deletions.
    10 changes: 1 addition & 9 deletions nginx-config.conf
    Original file line number Diff line number Diff line change
    @@ -1,12 +1,5 @@
    # #
    # SSL server config
    server {

    # Comment the following lines to disable http
    #listen 80 default_server;
    #listen [::]:80 default_server ipv6only=on;

    # SSL config

    listen 443 ssl;

    server_name secure.example.com;
    @@ -42,4 +35,3 @@ server {
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
    }

  12. clemlatz revised this gist Mar 22, 2016. 1 changed file with 14 additions and 3 deletions.
    17 changes: 14 additions & 3 deletions nginx-config.conf
    Original file line number Diff line number Diff line change
    @@ -9,10 +9,10 @@ server {

    listen 443 ssl;

    server_name example.com www.example.com;
    server_name secure.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_certificate /etc/letsencrypt/live/secure.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/secure.example.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    @@ -23,6 +23,17 @@ server {
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    location / {

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://example.com;
    proxy_read_timeout 90;
    }
    }

    # Redirect http to https
  13. clemlatz revised this gist Mar 22, 2016. 2 changed files with 24 additions and 3 deletions.
    19 changes: 17 additions & 2 deletions nginx-config → nginx-config.conf
    Original file line number Diff line number Diff line change
    @@ -1,5 +1,12 @@
    # sudo vim /etc/nginx/sites-available/default
    # #
    server {

    # Comment the following lines to disable http
    #listen 80 default_server;
    #listen [::]:80 default_server ipv6only=on;

    # SSL config

    listen 443 ssl;

    server_name example.com www.example.com;
    @@ -16,4 +23,12 @@ server {
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
    }
    }

    # Redirect http to https
    server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
    }

    8 changes: 7 additions & 1 deletion setup.sh
    Original file line number Diff line number Diff line change
    @@ -23,4 +23,10 @@ sudo nginx service stop
    ./letsencrypt-auto certonly --rsa-key-size 4096

    # Generate a strong Diffie-Hellman (2048-bit) group
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    # Config nginx to use certificate (see nginx-config.conf)
    sudo vim /etc/nginx/sites-available/default

    # Reload nginx
    sudo service nginx reload
  14. clemlatz revised this gist Mar 22, 2016. 1 changed file with 19 additions and 0 deletions.
    19 changes: 19 additions & 0 deletions nginx-config
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,19 @@
    # sudo vim /etc/nginx/sites-available/default
    server {
    listen 443 ssl;

    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
    }
  15. clemlatz revised this gist Mar 22, 2016. 1 changed file with 23 additions and 3 deletions.
    26 changes: 23 additions & 3 deletions setup.sh
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,26 @@
    # Update
    # Update & upgrade
    sudo apt-get update
    sudo apt-get upgrade

    # Install nginx
    sudo apt-get install nginx
    # Install & start nginx
    sudo apt-get install nginx -y
    sudo service nginx start

    # Install git
    sudo apt-get install git -y

    # Install letsencrypt
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt

    # Install letsencrypt dependencies
    ./letsencrypt-auto --help all

    # Stop nginx (port 80 needed by letsencrypt)
    sudo nginx service stop

    # Generate certificate
    ./letsencrypt-auto certonly --rsa-key-size 4096

    # Generate a strong Diffie-Hellman (2048-bit) group
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  16. clemlatz revised this gist Mar 22, 2016. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions setup.sh
    Original file line number Diff line number Diff line change
    @@ -2,3 +2,5 @@
    sudo apt-get update
    sudo apt-get upgrade

    # Install nginx
    sudo apt-get install nginx
  17. clemlatz created this gist Mar 22, 2016.
    4 changes: 4 additions & 0 deletions setup.sh
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,4 @@
    # Update
    sudo apt-get update
    sudo apt-get upgrade