Server security update

Since security is a process not a single task I updated my server config.

I noticed that I was missing a good dhparam. This is a follow up post to last years "CAA, site configuration, security and HTTP2" post.

Generate the prime

    ssl_ecdh_curve secp384r1;
    ssl_dhparam /etc/nginx/dhparam.pem;

Disable prime256v1 aka NIST P-256

After some searching on the internet I found some evidence about it beeing insecure and also known as "NIST P-256". If you prefere a discussion read the node.js tracker.

Going for the stronger curve should have a minimal impact on performance.

Regenerate the dhparam

Regenerating keys is a good idea in general. In 2016 some stackexchange user said no.

Automating it every week or so still seems like a good idea so we add this cron job with sudo crontab -e:

# m h  dom mon dow   command
 14 3  *   *   1     openssl dhparam -out /etc/nginx/dhparam.pem 4096 && chmod 600 /etc/nginx/dhparam.pem && /bin/systemctl restart nginx.service

Note: We have to use absolute paths. You can get that absolute path with this command: which ${binary}

See the crontab man page.

links

social