Last active
December 23, 2022 10:43
Revisions
-
clemlatz revised this gist
Apr 14, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,7 +16,7 @@ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt sudo /opt/letsencrypt/letsencrypt-auto --help all # Stop nginx (port 80 needed by letsencrypt) sudo service nginx stop # Generate certificate sudo /opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 -
clemlatz revised this gist
Apr 7, 2016 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,13 +13,13 @@ sudo apt-get install git -y sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt # Install letsencrypt dependencies sudo /opt/letsencrypt/letsencrypt-auto --help all # Stop nginx (port 80 needed by letsencrypt) sudo nginx service stop # Generate certificate sudo /opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 # Generate a strong Diffie-Hellman (2048-bit) group sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 -
clemlatz revised this gist
Mar 26, 2016 . 2 changed files with 11 additions and 45 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,40 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,11 +33,17 @@ sudo service nginx start # Test SSL config with https://www.ssllabs.com/ssltest/ # Install firewall (ufw) sudo apt-get install ufw -y # Open SSH, HTTP & HTTPS ports sudo ufw allow ssh sudo ufw allow http sudo ufw allow https # Enable ufw sudo ufw enable sudo ufw status # Configure SSL certificate renew with letsencrypt & cron # /opt/letsencrypt/letsencrypt-auto renew -
clemlatz revised this gist
Mar 26, 2016 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,7 +25,8 @@ sudo /opt/letsencrypt-auto certonly --rsa-key-size 4096 sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 # Config nginx to use certificate (see nginx-config.conf) sudo vim /etc/nginx/sites-available/secure.example.com sudo ln -s /etc/nginx/sites-available/secure.example.com /etc/nginx/sites-enabled/secure.example.com # Restart nginx sudo service nginx start -
clemlatz revised this gist
Mar 23, 2016 . No changes.There are no files selected for viewing
-
clemlatz revised this gist
Mar 22, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ server { listen 443 ssl; server_name secure.example.com; ssl_certificate /etc/letsencrypt/live/secure.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/secure.example.com/privkey.pem; -
clemlatz revised this gist
Mar 22, 2016 . 1 changed file with 12 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -32,10 +32,20 @@ sudo service nginx start # Test SSL config with https://www.ssllabs.com/ssltest/ # Configure iptables (see iptables.rules) & persist rules sudo vim /etc/iptables.test.rules sudo iptables-restore < /etc/iptables.test.rules sudo iptables -L sudo apt-get install iptables-persistent -y # Configure SSL certificate renew with letsencrypt & cron # /opt/letsencrypt/letsencrypt-auto renew sudo crontab -e # Add to crontab (to auto renew certs every monday) # 30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log # 35 2 * * 1 /etc/init.d/nginx reload # Sources # - https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 # - https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins -
clemlatz revised this gist
Mar 22, 2016 . 2 changed files with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ # https://wiki.debian.org/iptables *filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,5 +36,6 @@ sudo service nginx start sudo vim /etc/iptables.test.rules sudo iptables-restore < /etc/iptables.test.rules sudo iptables -L sudo apt-get install iptables-persistent -y # TODO auto renew -
clemlatz revised this gist
Mar 22, 2016 . 2 changed files with 52 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,38 @@ *filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # The --dport number is the same as in /etc/ssh/sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Now you should read up on iptables rules and consider whether ssh access # for everyone is really desired. Most likely you will only allow access from certain IPs. # Allow ping # note that blocking other types of icmp packets is considered a bad idea by some # remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp: # https://security.stackexchange.com/questions/22711 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,23 +10,31 @@ sudo service nginx start sudo apt-get install git -y # Install letsencrypt sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt # Install letsencrypt dependencies sudo /opt/letsencrypt-auto --help all # Stop nginx (port 80 needed by letsencrypt) sudo nginx service stop # Generate certificate sudo /opt/letsencrypt-auto certonly --rsa-key-size 4096 # Generate a strong Diffie-Hellman (2048-bit) group sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 # Config nginx to use certificate (see nginx-config.conf) sudo vim /etc/nginx/sites-available/default # Restart nginx sudo service nginx start # Test SSL config with https://www.ssllabs.com/ssltest/ # Configure iptables (see iptables.rules) sudo vim /etc/iptables.test.rules sudo iptables-restore < /etc/iptables.test.rules sudo iptables -L # TODO auto renew -
clemlatz revised this gist
Mar 22, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ server { listen 443 ssl; server_name secure.axys.me; ssl_certificate /etc/letsencrypt/live/secure.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/secure.example.com/privkey.pem; -
clemlatz revised this gist
Mar 22, 2016 . 1 changed file with 1 addition and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,12 +1,5 @@ # SSL server config server { listen 443 ssl; server_name secure.example.com; @@ -42,4 +35,3 @@ server { server_name example.com www.example.com; return 301 https://$host$request_uri; } -
clemlatz revised this gist
Mar 22, 2016 . 1 changed file with 14 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,10 +9,10 @@ server { listen 443 ssl; server_name secure.example.com; ssl_certificate /etc/letsencrypt/live/secure.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/secure.example.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; @@ -23,6 +23,17 @@ server { ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://example.com; proxy_read_timeout 90; } } # Redirect http to https -
clemlatz revised this gist
Mar 22, 2016 . 2 changed files with 24 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,12 @@ # # server { # Comment the following lines to disable http #listen 80 default_server; #listen [::]:80 default_server ipv6only=on; # SSL config listen 443 ssl; server_name example.com www.example.com; @@ -16,4 +23,12 @@ server { ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000; } # Redirect http to https server { listen 80; server_name example.com www.example.com; return 301 https://$host$request_uri; } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,4 +23,10 @@ sudo nginx service stop ./letsencrypt-auto certonly --rsa-key-size 4096 # Generate a strong Diffie-Hellman (2048-bit) group sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 # Config nginx to use certificate (see nginx-config.conf) sudo vim /etc/nginx/sites-available/default # Reload nginx sudo service nginx reload -
clemlatz revised this gist
Mar 22, 2016 . 1 changed file with 19 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,19 @@ # sudo vim /etc/nginx/sites-available/default server { listen 443 ssl; server_name example.com www.example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000; } -
clemlatz revised this gist
Mar 22, 2016 . 1 changed file with 23 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,26 @@ # Update & upgrade sudo apt-get update sudo apt-get upgrade # Install & start nginx sudo apt-get install nginx -y sudo service nginx start # Install git sudo apt-get install git -y # Install letsencrypt git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt # Install letsencrypt dependencies ./letsencrypt-auto --help all # Stop nginx (port 80 needed by letsencrypt) sudo nginx service stop # Generate certificate ./letsencrypt-auto certonly --rsa-key-size 4096 # Generate a strong Diffie-Hellman (2048-bit) group sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 -
clemlatz revised this gist
Mar 22, 2016 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,3 +2,5 @@ sudo apt-get update sudo apt-get upgrade # Install nginx sudo apt-get install nginx -
clemlatz created this gist
Mar 22, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,4 @@ # Update sudo apt-get update sudo apt-get upgrade