Thanks for your comments. For TLS and the reverse proxy, I’m referring to three things:
1. I do not see how to enable or configure TLSv1.2 or 1.3 in the ccs-calendarserver configuration code. See, for example, the default configuration plist and the associated Python code: <!-- SSL method: SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or TLSv1_METHOD --> <key>SSLMethod</key> <string>SSLv23_METHOD</string> https://github.com/apple/ccs-calendarserver/blob/15561ced74a7a45cfffa0610201b43179f6afa5c/contrib/conf/calendarserver.plist#L53-L55 2. I do not see how to specify Diffie-Hellman parameters for PFS. A search through the code doesn’t yield any hits, and it doesn’t appear to be a configuration key: https://github.com/apple/ccs-calendarserver/search?q=dhparam&unscoped_q=dhparam <https://github.com/apple/ccs-calendarserver/search?q=dhparam&unscoped_q=dhparam> 3. In my own Server.app version 3.7, Apache was used as a reverse proxy for Calendar and Contacts Server. I do not know what went into this design decision, but I inferred that this is related to configuring a central web server for Server.app that also provides the benefits of a reverse proxy. Because of the issues mentioned above, I configured an nginx reverse proxy for a MacPorts port of Calendar and Contacts Server. Here’s the nginx.conf: https://github.com/macports/macports-ports/pull/4978/files#diff-ec7e62c591a23b72c54b4eb10b089440 Yes, “isolate” is too strong for a reverse proxy (should say “help isolate”), but they do have several benefits, which may or may not also be a part of the ccs-calendarserver backend: mod_security, rate limiting, routing through a single exposed http/https port, and the like. I don’t know how to do any of this with the ccs-calendarserver code, but a lot of reasonable features like these are used in Server.app’s apache2 .conf files in its reverse proxy design. If there’s a way to configure ccs-calendarserver to use native twisted capabilities, that would be good to have a for simplified setup without using an nginx front-end. I also see that Twisted has already migrated to python3—ccs-calendarserver is still on Python 2.7 which is EOL in four months!—so python3 migration could be part of this. Should ccs-calendarserver’s Twisted TLS config be raised as an issue at https://github.com/apple/ccs-calendarserver/issues <https://github.com/apple/ccs-calendarserver/issues> ? > On Aug 8, 2019, at 11:31 PM, Glyph <gl...@twistedmatrix.com> wrote: > > > >> On Aug 8, 2019, at 4:33 AM, Steven Smith <steve.t.sm...@gmail.com >> <mailto:steve.t.sm...@gmail.com>> wrote: >> >> This port is completely independent of Server.app, and uses an nginx reverse >> proxy for modern crypto and to isolate the backend server. I have it >> deployed and it’s working well. > > What 'modern crypto' are you referring to? Twisted (upon which > CalendarServer is based) ought to be able to get an A+ on SSLLabs and use all > the most modern ciphersuites (including TLS 1.3). I'm not up on > CalendarServer's configuration these days, but it should be possible to > adjust it to be as fancy and modern as it needs to be... > > (I'm not sure what you mean by "isolating" the server?) > > -glyph
_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/calendarserver-users
