NI
Uploaded byNGINX, Inc.
323 views

NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX

This document provides an overview of managing SSL/TLS with NGINX, including the importance of encryption protocols, key exchange methods, and configuration settings. It highlights TLS 1.3 as the most secure option and offers detailed guidance on configuring SSL certificates and redirecting HTTP to HTTPS. Additionally, the document discusses security enhancements and NGINX security products to protect against various threats.

Software
Related topics:
API Management Trends
In this document
Powered by AI

Introduction on managing SSL/TLS with NGINX. Agenda includes TLS overview, configuration, and security.

NGINX powers >70% of the top 10,000 websites and 440M+ apps, showcasing its effectiveness and versatility.

Introduction to TLS/SSL including definitions of HTTPS, SSL, and TLS focuses on encrypting web traffic.

Steps in creating secure connections between client and server through key exchange, bulk encryption, and protocol control.

Highlights benefits of TLS 1.3: increased security, faster connections, and less complexity in ciphers.

Detailed description of SSL certificates, their usage for identity verification, and comparison of self-signed vs CA-signed.

Basic configuration settings for enabling SSL on NGINX, including server blocks and SSL certificates specifications.

Explanation of SSL ciphers, importance of strong cipher suites, and the recommended cipher suites for TLS 1.3.

Live demo of NGINX in a proxy and web server setup over HTTPS on specified ports.

Configuration for redirecting HTTP traffic to HTTPS, enhancing security by ensuring all communications are encrypted.

Recommendations for strengthening SSL security through parameter size increases and transport security headers.

Overview of NGINX security products, including DoS protection, WAF, and Kubernetes ingress controller.

Recap of key points discussed and useful resources for further information on SSL, key exchanges, and TLS 1.3.

Open floor for questions regarding the presentation content.

Downloaded 118 times
NGINX 101: Managing SSL/TLS ROBERT HAYNES
| ©2021 F5 2 Agenda TLS/SSL Overview Introduction TLS Protocols Cyphers Key Exchange Encryption Certificates Basic NGINX Config Demo NGINX SSL Configuration Extras Next Redirecting HTTP to HTTPS Recommended SSL settings Additional NGINX security offers
| ©2021 F5 3 >70% 10,000 busiest websites 440M+ websites and apps OPEN SOURCE FOOTPRINT NGINX powers the Internet . . . and most enterprises! PROVEN = 1 Million
| ©2021 F5 4 NGINX Plus Enterprise-Class Data Plane NGINX Open Source Fast, Flexible, Portable
| ©2021 F5 5 TLS/SSL Overview CONFIDENTIAL
| ©2021 F5 6 CONFIDENTIAL Clarifying some terms HTTPS SSL TLS Encrypting Web Traffic
| ©2021 F5 7 10000 Ft (3048m) View THIS IS WHAT WE ARE TRYING TO ACHIEVE Client Server Key Algorithm Key Algorithm Matching key and encryption algorithm Identity confirmed, connection established, encryption of traffic between client and server.
| ©2021 F5 8 CONFIDENTIAL Establishing an encrypted connection TCP Connection Identity and capabilities Key ‘exchange’ Bulk encryption Server Client
| ©2021 F5 9 CONFIDENTIAL Establishing Capabilities and Identity Identity and capabilities Server Client Supported Cypher Suites
| ©2021 F5 10 CONFIDENTIAL Establishing Capabilities and Identity Identity and capabilities Server Client Supported Cypher Suites Identity ECDHE-RSA-AES256-GCM-SHA384 RSA
| ©2021 F5 11 CONFIDENTIAL Creating a Shared Key Identity and capabilities Key ‘exchange’ Server Client ECDHE-RSA-AES256-GCM-SHA384 Public Value Public Value Random Secret Random Secret Public Value Public Value Public Value Public Value Intermediate Intermediate
| ©2021 F5 12 CONFIDENTIAL Creating a Shared Key Identity and capabilities Key ‘exchange’ Server Client ECDHE-RSA-AES256-GCM-SHA384 Random Secret Random Secret Intermediate Intermediate
| ©2021 F5 13 CONFIDENTIAL Bulk Encryption Identity and capabilities Key ‘exchange’ Bulk encryption Server Client ECDHE-RSA-AES256-GCM-SHA384
| ©2021 F5 14 CONFIDENTIAL Protocol == Control of Operations THE SSL/TLS PROTOCOL SETTING IS THE CONTROL STREAM Identity and capabilities Key ‘exchange’ Bulk encryption Server Client SSL1 SSL2 SSL3 TLS1 TLS1.1 TLS1.2 TLS1.3
| ©2021 F5 15 Eliminates known insecure key ciphers Mandates forward secrecy Mandates more secure bulk encryption Signs whole handshake CONFIDENTIAL Why Use TLS 1.3? LATEST AND GREATEST SAFER Reduced handshakes in TLS session setup 0-RTT connections for session resumption Simpler cipher suites, fewer possible combinations FASTER 63% of Servers prefer TLS 1.3* *F5 TLS Telemetry report 2021
| ©2021 F5 16 SSL Certificates CONFIDENTIAL
| ©2021 F5 17 CONFIDENTIAL What is an SSL Certificate used for? Establish Identity Certificate contains identity information and is signed by a trusted Certificate Authority Signing Communications A client can verify that data was sent from the server by using the public key in the SSL certificate to decrypt it
| ©2021 F5 18 CONFIDENTIAL SSL for Identity Verification Certificate from NGINX.com Root Certificate Authority (Balitmore Cybertrust) Intermediate Certificate (Cloudflare.com) Signs Signs Certificate Chain
| ©2021 F5 19 CONFIDENTIAL Certificates Self Signed CA Signed Self CA Signed Generate your own Obtain from a CA Create your CA Create your cert Certificate Warnings No warnings No warnings on browsers with your root CA Dev/Test Production Internal prod/QA
| ©2021 F5 20 NGINX SSL Configuration CONFIDENTIAL
| ©2021 F5 21 CONFIDENTIAL NGINX Config Overview http{ # HTTP block sets global http values server { # server block defines an individual config } upstream { # upstream block defines backend servers } } Server and upstream blocks are usually contained in separate files and incorporated using the include directive
| ©2021 F5 22 CONFIDENTIAL NGINX SSL Configuration server { listen 443 ssl; server_name www.example.com; ssl_certificate ssl/www.example.com.crt; ssl_certificate_key ssl/www.example.com.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; … Server Name – needs to match certificate* SSL Certificate and key name Allowable protocols Cipher string for for TLS 1.2 Port to listen on and protocol Cipher string for TLS 1.3
| ©2021 F5 23 CONFIDENTIAL ssl_ciphers Explained HIGH:!aNULL:!MD5; Use the high strength set of ciphers Explicitly exclude (!) any cipher suite offering no authentication Explicitly exclude (!) any cipher suite using MD5 for hashing See what cipher strings will be listed: openssl ciphers -V 'HIGH:!aNULL:!MD5'
| ©2021 F5 24 CONFIDENTIAL ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256 Protocol Bulk Encryption Key Derivation TLS 1.3 has 5 recommended cipher suites (37 in TLS1.2),(319 for backward compatibility!)
| ©2021 F5 25 Demo Time CONFIDENTIAL
| ©2021 F5 26 CONFIDENTIAL Environment Me NGINX Proxy NGINX Webserver HTTPS 443 HTTPS 443 HTTP 8080
| ©2021 F5 27 Other Settings: CONFIDENTIAL
| ©2021 F5 28 CONFIDENTIAL Redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://example.com$request_uri; } Add an additional server block listening on port 80, and return a HTTP redirect response to any request:
| ©2021 F5 29 CONFIDENTIAL Improving SSL Security - Key Exchange Parameters Increase the size of one of the known parameters to 4096 bytes: Generate the key: SSL_Demo> sudo openssl dhparam -out /etc/nginx/ssl/dhkey4096.pem 4096 Add the value to the NGINX config: ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; ssl_dhparam /etc/ssl/dhkey4096.pem;
| ©2021 F5 30 Add Strict Transport Security headers: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; This informs a browser that a site should ONLY be accessed over HTTPS. Increase the timeout and set a session cache ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; CONFIDENTIAL Additional Security and Performance Settings
| ©2021 F5 31 NGINX Security Products CONFIDENTIAL
| ©2021 F5 32 NGINX App Protect DoS Protection against a range of DoS attacks, including hard-to-spot low and slow attacks NGINX App Protect WAF Powerful defense against layer 7 attacks Based on F5’s leading application layer firewall NGINX Kubernetes Ingress Controller Ingress control for Kubernetes, with added encryption, authentication and WAF. CONFIDENTIAL NGINX Security Products BUILT ON NGINX PLUS
| ©2021 F5 33 Summary CONFIDENTIAL
| ©2021 F5 34 CONFIDENTIAL Useful Resources Private Keys https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/ Cipher Suites https://www.youtube.com/watch?v=ZM3tXhPV8v0 Key Exchange https://www.youtube.com/watch?v=pa4osob1XOk TLS 1.3 https://www.nginx.com/blog/nginx-plus-r17-released/#r17-tls13
| ©2020 F5 35 Questions? CONFIDENTIAL
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX

More Related Content

PPTX
Kubernetes Networking 101
byWeaveworks
 
PDF
Virtual Extensible LAN (VXLAN)
byKHNOG
 
PDF
NAT- Network Address Translation
byEng. Emad Al-Atoum
 
PPTX
VXLAN
bySAliyev1
 
PDF
Kubernetes networking in AWS
byZvika Gazit
 
PDF
Jenkins 101: Getting Started
byR Geoffrey Avery
 
PPTX
Stateful Flow Table - SFT 2020 DPDK users pace summit
byAndrey Vesnovaty
 
PDF
Custom policies in mule 4 and a circuit breaker example
byRoyston Lobo
 
Kubernetes Networking 101
byWeaveworks
 
Virtual Extensible LAN (VXLAN)
byKHNOG
 
NAT- Network Address Translation
byEng. Emad Al-Atoum
 
VXLAN
bySAliyev1
 
Kubernetes networking in AWS
byZvika Gazit
 
Jenkins 101: Getting Started
byR Geoffrey Avery
 
Stateful Flow Table - SFT 2020 DPDK users pace summit
byAndrey Vesnovaty
 
Custom policies in mule 4 and a circuit breaker example
byRoyston Lobo
 

What's hot

ODP
Kubernetes Architecture
byKnoldus Inc.
 
PPTX
Ingress overview
byHarshal Shah
 
PPT
SS7 & SIGTRAN
byStephanie Galloway-Williams
 
PDF
Worldwide attacks on SS7 network
byAlexandre De Oliveira
 
ODP
Linux Introduction (Commands)
byanandvaidya
 
PDF
LoadBalancer using KeepAlived
byKhushalChandak1
 
PPTX
Kerberos
byRafatSamreen
 
PDF
Implementing Observability for Kubernetes.pdf
byJose Manuel Ortega Candel
 
PDF
IMS ENUM & DNS Mechanism
byHouman Sadeghi Kaji
 
PDF
Linux Networking Explained
byThomas Graf
 
PDF
20CS2008 Computer Networks
byKathirvel Ayyaswamy
 
PDF
A Guide to Adopting Kubernetes
byNGINX, Inc.
 
PDF
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
byEdureka!
 
PDF
Service Mesh on Kubernetes with Istio
byMichelle Holley
 
PDF
Deep dive into Kubernetes Networking
bySreenivas Makam
 
PPTX
A presentation on networking and ccna
byvivek kumar
 
PPTX
Basic interview question for Ether Channel.
byINFitunes
 
PDF
Understanding Wireguard, TLS and Workload Identity
byChristian Posta
 
PDF
Linux Systems: Getting started with setting up an Embedded platform
byEmertxe Information Technologies Pvt Ltd
 
PPTX
Cisco nx os
byUtpal Sinha
 
Kubernetes Architecture
byKnoldus Inc.
 
Ingress overview
byHarshal Shah
 
SS7 & SIGTRAN
byStephanie Galloway-Williams
 
Worldwide attacks on SS7 network
byAlexandre De Oliveira
 
Linux Introduction (Commands)
byanandvaidya
 
LoadBalancer using KeepAlived
byKhushalChandak1
 
Kerberos
byRafatSamreen
 
Implementing Observability for Kubernetes.pdf
byJose Manuel Ortega Candel
 
IMS ENUM & DNS Mechanism
byHouman Sadeghi Kaji
 
Linux Networking Explained
byThomas Graf
 
20CS2008 Computer Networks
byKathirvel Ayyaswamy
 
A Guide to Adopting Kubernetes
byNGINX, Inc.
 
What is Jenkins | Jenkins Tutorial for Beginners | Edureka
byEdureka!
 
Service Mesh on Kubernetes with Istio
byMichelle Holley
 
Deep dive into Kubernetes Networking
bySreenivas Makam
 
A presentation on networking and ccna
byvivek kumar
 
Basic interview question for Ether Channel.
byINFitunes
 
Understanding Wireguard, TLS and Workload Identity
byChristian Posta
 
Linux Systems: Getting started with setting up an Embedded platform
byEmertxe Information Technologies Pvt Ltd
 
Cisco nx os
byUtpal Sinha
 

Similar to NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX

PPTX
Random musings on SSL/TLS configuration
byextremeunix
 
PDF
Sử dụng TLS đúng cách - Phạm Tùng Dương
bySecurity Bootcamp
 
PDF
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
byKevin Jones
 
PPTX
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
byVEXXHOST Private Cloud
 
PDF
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
byRichard Fussenegger
 
PPTX
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
byNGINX, Inc.
 
PDF
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
byNGINX, Inc.
 
PPT
Ost ssl lec
byKaustubh Joshi
 
PDF
NGiNX, VHOSTS & SSL (let's encrypt)
byMarcel Cattaneo
 
PDF
020618 Why Do we Need HTTPS
byJackio Kwok
 
PPTX
NGINX: Basics & Best Practices - EMEA Broadcast
byNGINX, Inc.
 
PDF
FreeBSD and Hardening Web Server
byMuhammad Moinur Rahman
 
PPTX
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
DOCX
How to Install SSL Certificate in Nginx - Guide
byRapidSSLOnline.com
 
PPTX
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
PDF
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
PDF
F5 TLS & SSL Practices
byBrian A. McHenry
 
PPTX
NGINX Plus R18: What's new
byNGINX, Inc.
 
PDF
Next Generation DevOps in Drupal: DrupalCamp London 2014
byBarney Hanlon
 
PDF
What’s New in NGINX Plus R15? - EMEA
byNGINX, Inc.
 
Random musings on SSL/TLS configuration
byextremeunix
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
bySecurity Bootcamp
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
byKevin Jones
 
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
byVEXXHOST Private Cloud
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
byRichard Fussenegger
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
byNGINX, Inc.
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
byNGINX, Inc.
 
Ost ssl lec
byKaustubh Joshi
 
NGiNX, VHOSTS & SSL (let's encrypt)
byMarcel Cattaneo
 
020618 Why Do we Need HTTPS
byJackio Kwok
 
NGINX: Basics & Best Practices - EMEA Broadcast
byNGINX, Inc.
 
FreeBSD and Hardening Web Server
byMuhammad Moinur Rahman
 
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
How to Install SSL Certificate in Nginx - Guide
byRapidSSLOnline.com
 
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
F5 TLS & SSL Practices
byBrian A. McHenry
 
NGINX Plus R18: What's new
byNGINX, Inc.
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
byBarney Hanlon
 
What’s New in NGINX Plus R15? - EMEA
byNGINX, Inc.
 

More from NGINX, Inc.

PDF
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
byNGINX, Inc.
 
PDF
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
byNGINX, Inc.
 
PDF
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
byNGINX, Inc.
 
PPTX
Get Hands-On with NGINX and QUIC+HTTP/3
byNGINX, Inc.
 
PPTX
Managing Kubernetes Cost and Performance with NGINX & Kubecost
byNGINX, Inc.
 
PDF
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
PDF
Accelerate Microservices Deployments with Automation
byNGINX, Inc.
 
PDF
Unit 2: Microservices Secrets Management 101
byNGINX, Inc.
 
PDF
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
byNGINX, Inc.
 
PDF
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
byNGINX, Inc.
 
PDF
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
PDF
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
byNGINX, Inc.
 
PDF
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
PPTX
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
byNGINX, Inc.
 
PPTX
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
PPTX
NGINX Kubernetes API
byNGINX, Inc.
 
PPTX
Successfully Implement Your API Strategy with NGINX
byNGINX, Inc.
 
PPTX
Installing and Configuring NGINX Open Source
byNGINX, Inc.
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
byNGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
byNGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
byNGINX, Inc.
 
Get Hands-On with NGINX and QUIC+HTTP/3
byNGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
byNGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
Accelerate Microservices Deployments with Automation
byNGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
byNGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
byNGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
byNGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
byNGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
byNGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
NGINX Kubernetes API
byNGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
byNGINX, Inc.
 
Installing and Configuring NGINX Open Source
byNGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 

Recently uploaded

PDF
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
PDF
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
PDF
Quantum Computing Threats- A Guide for Cyber Security Auditors on Post-Quantu...
byCyberneticGI
 
PDF
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
DOCX
DevOps_MERN_CI_CD_Proposal for software development .pptx
bydemy2014
 
PPTX
AI-Powered Intelligent Agents for Fraud Detection
byleolucus1995
 
PPT
Evolution of the Major Programming Languages
bymjmansoori54
 
PPTX
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
byAlin Voinea
 
PDF
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
byprasadexiga0
 
DOCX
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
PPT
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
PDF
Zoho Vani AI-Powered Collaboration Platform to Rival Google Workspace & Micro...
byEvoluz Global Solutions
 
PDF
How QuickHR Helps SMEs Control Expense Claims
byParker adam
 
PPTX
Financial Literacy for Software Developers
byBalanathanVirupasan
 
PDF
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
PDF
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
PDF
Autowiring all the things! - DrupalCon Vienna 2025 - Luca Lusso, SparkFabrik
bysparkfabrik
 
PPTX
877541002-Losing-Control-Over-Business-Operations-Part-2.pptx
byKsoft Technologies
 
PPTX
Empower Your Business Operations with BUSY Software by MovingCloud360.pptx
byMoving Cloud
 
PPTX
Systems Programming Lecture Compute.pptx
byAdekunle25
 
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
Quantum Computing Threats- A Guide for Cyber Security Auditors on Post-Quantu...
byCyberneticGI
 
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
DevOps_MERN_CI_CD_Proposal for software development .pptx
bydemy2014
 
AI-Powered Intelligent Agents for Fraud Detection
byleolucus1995
 
Evolution of the Major Programming Languages
bymjmansoori54
 
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
byAlin Voinea
 
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
byprasadexiga0
 
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
Zoho Vani AI-Powered Collaboration Platform to Rival Google Workspace & Micro...
byEvoluz Global Solutions
 
How QuickHR Helps SMEs Control Expense Claims
byParker adam
 
Financial Literacy for Software Developers
byBalanathanVirupasan
 
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
Autowiring all the things! - DrupalCon Vienna 2025 - Luca Lusso, SparkFabrik
bysparkfabrik
 
877541002-Losing-Control-Over-Business-Operations-Part-2.pptx
byKsoft Technologies
 
Empower Your Business Operations with BUSY Software by MovingCloud360.pptx
byMoving Cloud
 
Systems Programming Lecture Compute.pptx
byAdekunle25
 

NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX

  • 1.
  • 2.
    | ©2021 F5 2 Agenda TLS/SSLOverview Introduction TLS Protocols Cyphers Key Exchange Encryption Certificates Basic NGINX Config Demo NGINX SSL Configuration Extras Next Redirecting HTTP to HTTPS Recommended SSL settings Additional NGINX security offers
  • 3.
    | ©2021 F5 3 >70% 10,000busiest websites 440M+ websites and apps OPEN SOURCE FOOTPRINT NGINX powers the Internet . . . and most enterprises! PROVEN = 1 Million
  • 4.
    | ©2021 F5 4 NGINXPlus Enterprise-Class Data Plane NGINX Open Source Fast, Flexible, Portable
  • 5.
    | ©2021 F5 5 TLS/SSLOverview CONFIDENTIAL
  • 6.
    | ©2021 F5 6CONFIDENTIAL Clarifying some terms HTTPS SSL TLS Encrypting Web Traffic
  • 7.
    | ©2021 F5 7 10000Ft (3048m) View THIS IS WHAT WE ARE TRYING TO ACHIEVE Client Server Key Algorithm Key Algorithm Matching key and encryption algorithm Identity confirmed, connection established, encryption of traffic between client and server.
  • 8.
    | ©2021 F5 8CONFIDENTIAL Establishing an encrypted connection TCP Connection Identity and capabilities Key ‘exchange’ Bulk encryption Server Client
  • 9.
    | ©2021 F5 9CONFIDENTIAL Establishing Capabilities and Identity Identity and capabilities Server Client Supported Cypher Suites
  • 10.
    | ©2021 F5 10CONFIDENTIAL Establishing Capabilities and Identity Identity and capabilities Server Client Supported Cypher Suites Identity ECDHE-RSA-AES256-GCM-SHA384 RSA
  • 11.
    | ©2021 F5 11CONFIDENTIAL Creating a Shared Key Identity and capabilities Key ‘exchange’ Server Client ECDHE-RSA-AES256-GCM-SHA384 Public Value Public Value Random Secret Random Secret Public Value Public Value Public Value Public Value Intermediate Intermediate
  • 12.
    | ©2021 F5 12CONFIDENTIAL Creating a Shared Key Identity and capabilities Key ‘exchange’ Server Client ECDHE-RSA-AES256-GCM-SHA384 Random Secret Random Secret Intermediate Intermediate
  • 13.
    | ©2021 F5 13CONFIDENTIAL Bulk Encryption Identity and capabilities Key ‘exchange’ Bulk encryption Server Client ECDHE-RSA-AES256-GCM-SHA384
  • 14.
    | ©2021 F5 14CONFIDENTIAL Protocol == Control of Operations THE SSL/TLS PROTOCOL SETTING IS THE CONTROL STREAM Identity and capabilities Key ‘exchange’ Bulk encryption Server Client SSL1 SSL2 SSL3 TLS1 TLS1.1 TLS1.2 TLS1.3
  • 15.
    | ©2021 F5 15 Eliminatesknown insecure key ciphers Mandates forward secrecy Mandates more secure bulk encryption Signs whole handshake CONFIDENTIAL Why Use TLS 1.3? LATEST AND GREATEST SAFER Reduced handshakes in TLS session setup 0-RTT connections for session resumption Simpler cipher suites, fewer possible combinations FASTER 63% of Servers prefer TLS 1.3* *F5 TLS Telemetry report 2021
  • 16.
    | ©2021 F5 16 SSLCertificates CONFIDENTIAL
  • 17.
    | ©2021 F5 17CONFIDENTIAL What is an SSL Certificate used for? Establish Identity Certificate contains identity information and is signed by a trusted Certificate Authority Signing Communications A client can verify that data was sent from the server by using the public key in the SSL certificate to decrypt it
  • 18.
    | ©2021 F5 18CONFIDENTIAL SSL for Identity Verification Certificate from NGINX.com Root Certificate Authority (Balitmore Cybertrust) Intermediate Certificate (Cloudflare.com) Signs Signs Certificate Chain
  • 19.
    | ©2021 F5 19CONFIDENTIAL Certificates Self Signed CA Signed Self CA Signed Generate your own Obtain from a CA Create your CA Create your cert Certificate Warnings No warnings No warnings on browsers with your root CA Dev/Test Production Internal prod/QA
  • 20.
    | ©2021 F5 20 NGINXSSL Configuration CONFIDENTIAL
  • 21.
    | ©2021 F5 21CONFIDENTIAL NGINX Config Overview http{ # HTTP block sets global http values server { # server block defines an individual config } upstream { # upstream block defines backend servers } } Server and upstream blocks are usually contained in separate files and incorporated using the include directive
  • 22.
    | ©2021 F5 22CONFIDENTIAL NGINX SSL Configuration server { listen 443 ssl; server_name www.example.com; ssl_certificate ssl/www.example.com.crt; ssl_certificate_key ssl/www.example.com.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; … Server Name – needs to match certificate* SSL Certificate and key name Allowable protocols Cipher string for for TLS 1.2 Port to listen on and protocol Cipher string for TLS 1.3
  • 23.
    | ©2021 F5 23CONFIDENTIAL ssl_ciphers Explained HIGH:!aNULL:!MD5; Use the high strength set of ciphers Explicitly exclude (!) any cipher suite offering no authentication Explicitly exclude (!) any cipher suite using MD5 for hashing See what cipher strings will be listed: openssl ciphers -V 'HIGH:!aNULL:!MD5'
  • 24.
    | ©2021 F5 24CONFIDENTIAL ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256 Protocol Bulk Encryption Key Derivation TLS 1.3 has 5 recommended cipher suites (37 in TLS1.2),(319 for backward compatibility!)
  • 25.
    | ©2021 F5 25 DemoTime CONFIDENTIAL
  • 26.
    | ©2021 F5 26CONFIDENTIAL Environment Me NGINX Proxy NGINX Webserver HTTPS 443 HTTPS 443 HTTP 8080
  • 27.
    | ©2021 F5 27 OtherSettings: CONFIDENTIAL
  • 28.
    | ©2021 F5 28CONFIDENTIAL Redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://example.com$request_uri; } Add an additional server block listening on port 80, and return a HTTP redirect response to any request:
  • 29.
    | ©2021 F5 29CONFIDENTIAL Improving SSL Security - Key Exchange Parameters Increase the size of one of the known parameters to 4096 bytes: Generate the key: SSL_Demo> sudo openssl dhparam -out /etc/nginx/ssl/dhkey4096.pem 4096 Add the value to the NGINX config: ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; ssl_dhparam /etc/ssl/dhkey4096.pem;
  • 30.
    | ©2021 F5 30 AddStrict Transport Security headers: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; This informs a browser that a site should ONLY be accessed over HTTPS. Increase the timeout and set a session cache ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; CONFIDENTIAL Additional Security and Performance Settings
  • 31.
    | ©2021 F5 31 NGINXSecurity Products CONFIDENTIAL
  • 32.
    | ©2021 F5 32 NGINXApp Protect DoS Protection against a range of DoS attacks, including hard-to-spot low and slow attacks NGINX App Protect WAF Powerful defense against layer 7 attacks Based on F5’s leading application layer firewall NGINX Kubernetes Ingress Controller Ingress control for Kubernetes, with added encryption, authentication and WAF. CONFIDENTIAL NGINX Security Products BUILT ON NGINX PLUS
  • 33.
  • 34.
    | ©2021 F5 34CONFIDENTIAL Useful Resources Private Keys https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/ Cipher Suites https://www.youtube.com/watch?v=ZM3tXhPV8v0 Key Exchange https://www.youtube.com/watch?v=pa4osob1XOk TLS 1.3 https://www.nginx.com/blog/nginx-plus-r17-released/#r17-tls13
  • 35.