Google’s Chrome 39 Sunsetting SHA-1

Google has announced that they are sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November 2014. SHA-1 root certificates are not affected by this plan.

Most providers are offering free upgrades to SHA-2 certificates so be sure to contact yours to see if you qualify.

More info can be found on Google’s security blog.

SHA-1 vs. SHA-2 SSL Certificates

If you’re thinking about moving to a SHA-2 hashing algorithm for your SSL certificate, remember that it will break in IE6 and all versions of IE on Windows XP prior to SP3. So if you’re supporting users on older machines / browsers, you’ll need to stick with SHA-1.

More information is available here.

Load Balancing a Reverse Proxy with Nginx, PHP5-FPM & SSL

Continuing with our migration to Nginx (see previous posts here and here), the next set of servers to move were a load balanced group of PHP servers. Each server consists of an http server on port 80, an https server on port 443 and an upstream PHP server on port 8000.

  • 1 to n upstream PHP servers can be configured, either local or remote
  • configuration supports both http (80) and https (443)
  • SSL is terminated before being passed to the upstream server
  • PHP upstream server uses PHP5-FPM via a local socket
  • static files are served directly via Nginx and are set to max expires

There are also some future optimizations I’m currently looking at:

# round robin load balance pool
# servers can be local or remote
upstream lbpool {
ip_hash;
server 10.10.10.1:8000 max_fails=3 fail_timeout=120;
server 10.10.10.2:8000 max_fails=3 fail_timeout=120;
# additional servers
}
# http server
server {
listen 80;
server_name example.com;
access_log /var/log/nginx/example.com.80.access.log main;
error_log /var/log/nginx/example.com.80.error.log;
# proxy requests to the pool
# ensure ips are passed correctly
location / {
proxy_pass http://lbpool;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
port_in_redirect off;
}
}
# https server
# terminates SSL before passing the request to the proxy
server {
listen 443 ssl;
server_name example.com;
access_log /var/log/nginx/example.com.443.access.log main;
error_log /var/log/nginx/example.com.443.error.log;
ssl_certificate /etc/nginx/ssl/example.com.crt; # or .pem
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# proxy requests to the pool
# ensure ips are passed correctly
location / {
proxy_pass http://lbpool;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
port_in_redirect off;
}
}
# upstream php server
server {
listen 8000;
server_name example.com;
root /home/webapps/example.com;
access_log /var/log/nginx/example.com.8000.access.log main;
error_log /var/log/nginx/example.com.8000.error.log;
location / {
index index.php;
# pass php requests to the front controller (http://wiki.nginx.org/Pitfalls#Front_Controller_Pattern_based_packages)
# but don't proxy everything (http://wiki.nginx.org/Pitfalls#Proxy_Everything)
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files,
# git & svn repositories, etc
location ~ /\.(?:ht|git|svn) {
deny all;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# caching
location ~* \.(pdf|css|js|png|gif|jpg|jpeg|ico|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
expires max;
log_not_found off;
access_log off;
}
}

view raw
nginx.conf
hosted with ❤ by GitHub

AWS Now Supports SSL and Wildcard CNAMEs

Back in June Amazon announced support for custom SSL certificates with CloudFront, meaning you can now use your own domain name to serve content via https rather than their pesky CloudFront URLs (i.e. https://d6zo052ygi9mi.cloudfront.net).

The only downside was the price… $600 per month per certificate. If you needed a couple of different domains (i.e. http://www.mysite.com, images.mysite.com, vidoes.mysite.com), this could get expensive quickly.

Well now you can simply purchase a wildcard certificate and secure all of those domains with a single certificate.

More info can be found here and here.