-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/19/15 14:41, Janusz Dziemidowicz wrote:
> 2015-11-19 11:13 GMT+01:00 Piotr Kubaj <pku...@riseup.net>:
>>> 4096 bit DH params will be pretty slow to handshake. Maybe
>>> that's okay in your circumstance though since you seem to be
>>> using this for a personal use and not expecting a high
>>> connection rate. You also have a 8 kbit RSA self signed
>>> certificate and using 256 bit ciphers which increase TLS
>>> overhead.
>> I want it to be secure, and I don't want to touch my settings
>> for quite a while so I just took the strongest algorithms there
>> are, and 2x recommended values for things like private key, or DH
>> params. The hardware is pretty powerful and I've already checked
>> that I don't have a huge load.
>
> Take note, that increasing RSA size twice reduces number of
> connections you can accept 10 times or more. For example, my quite
> powerful desktop with recent CPU can accept 973 connections per
> second per core for RSA 2048, 136 connections per second for RSA
> 4096. OpenSSL does not have tests for RSA 8192, but that would be
> in the order of a few connections per second. RSA 8192 is really an
> overkill, it would be possible to DoS your server with a simple
> shell script;) If you want a state of the art cryptography you
> should probably use ECDSA certificate, it will be both faster and
> more secure.
>
I've tweaked my haproxy.conf a little, now it looks like this:
global
#ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
#ssl-default-bind-ciphers AES256+EECDH:AES256+EDH
#tune.ssl.default-dh-param 4096
log /var/run/log local0
maxconn 4096
user daemon
group daemon
daemon
defaults
log global
mode http
option httplog
option forwardfor
option http-server-close
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind 192.168.11.3:80
acl host_phpsysinfo hdr_dom(host) -i phpsysinfo.anongoth.pl
acl host_owncloud hdr_dom(host) -i owncloud.anongoth.pl
acl host_roundcube hdr_dom(host) -i roundcube.anongoth.pl
acl host_10amd64 hdr_dom(host) -i 10amd64.anongoth.pl
acl host_10armv6 hdr_dom(host) -i 10armv6.anongoth.pl
## figure out which one to use
use_backend phpsysinfo if host_phpsysinfo
use_backend owncloud if host_owncloud
use_backend roundcube if host_roundcube
use_backend 10amd64 if host_10amd64
use_backend 10armv6 if host_10armv6
# redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
#option httplog
#option forwardfor
#option http-server-close
#option httpclose
#http-response set-header Strict-Transport-Security
"max-age=16000000; includeSubDomains; preload;"
#http-response set-header Public-Key-Pins:
"pin-sha256="1Pw5h93NOsPw6j/vaTYl5VvW9cmtuZXtNP3cVz10hKo=";
max-age=15768000; includeSubDomains"
#bind 192.168.11.3:443 ssl crt /usr/local/etc/haproxy.pem ciphers
AES256+EECDH:AES256+EDH force-tlsv12 no-sslv3
bind 192.168.11.3:443 ssl crt /usr/local/etc/haproxy.pem
acl host_phpsysinfo hdr_dom(host) -i phpsysinfo.anongoth.pl
acl host_owncloud hdr_dom(host) -i owncloud.anongoth.pl
acl host_roundcube hdr_dom(host) -i roundcube.anongoth.pl
acl host_10amd64 hdr_dom(host) -i 10amd64.anongoth.pl
acl host_10armv6 hdr_dom(host) -i 10armv6.anongoth.pl
## figure out which one to use
use_backend phpsysinfo if host_phpsysinfo
use_backend owncloud if host_owncloud
use_backend roundcube if host_roundcube
use_backend 10amd64 if host_10amd64
use_backend 10armv6 if host_10armv6
backend 10amd64
server node1 192.168.11.3:81
backend 10armv6
server node1 192.168.11.3:81
backend phpsysinfo
server node1 192.168.11.3:81
backend owncloud
server node1 192.168.11.14:80
backend roundcube
server node1 192.168.1.101:80
With that, I can tell that the issue is about HTTPS section. HTTP
connection through Haproxy goes fine, but HTTPS still has a problem.
I've also got regular Haproxy logs, I'm not sure if they can help
diagnose the problem:
Nov 19 15:04:58 anongoth haproxy[11792]: 46.248.161.165:54997
[19/Nov/2015:15:04:52.559] https-in owncloud/node1 5900/0/0/0/5901 200
319 - - ---- 2/2/0/1/0 0/0 "GET
/core/css/images/ui-bg_flat_35_1d2d44_40x100.png HTTP/1.1"
Nov 19 15:04:58 anongoth haproxy[11792]: 46.248.161.165:54996
[19/Nov/2015:15:04:52.555] https-in owncloud/node1 5911/0/0/1/5912 200
323 - - ---- 2/2/0/1/0 0/0 "GET
/core/css/images/ui-bg_highlight-soft_100_eeeeee_1x100.png HTTP/1.1"
Nov 19 15:05:00 anongoth haproxy[11792]: 46.248.161.165:54997
[19/Nov/2015:15:04:58.459] https-in owncloud/node1 27/0/0/1876/1931
200 1076 - - ---- 3/3/0/1/0 0/0 "POST
/index.php/apps/files/ajax/upload.php HTTP/1.1"
Nov 19 15:05:00 anongoth haproxy[11792]: 46.248.161.165:54997
[19/Nov/2015:15:05:00.390] https-in owncloud/node1 61/0/0/0/111 200
2642 - - ---- 3/3/0/1/0 0/0 "GET
/core/img/filetypes/application-pdf.svg HTTP/1.1"
Nov 19 15:05:01 anongoth haproxy[11792]: 46.248.161.165:54997
[19/Nov/2015:15:05:00.501] https-in owncloud/node1 221/0/1/372/615 200
862 - - ---- 3/3/0/1/0 0/0 "GET
/index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1"
Nov 19 15:05:04 anongoth haproxy[11792]: 46.248.161.165:55053
[19/Nov/2015:15:04:58.506] https-in https-in/<NOSRV> -1/-1/-1/-1/5660
400 187 - - CR-- 2/2/0/0/0 0/0 "<BADREQ>"
Now, about RSA vs ECDSA. I simply don't trust ECDSA. There are quite a
lot of questions about constants used by ECDSA, which seem to be
chosen quite arbitrarily by its creator, which happens to be NSA.
These questions of course remain unanswered. Even respected scientists
like Schneier say that RSA should be used instead (see
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c167
5929
). When I'm done setting my HTTP(S) services, I'll simply limit
incoming connections connections on my firewall so DDOS'ing won't be
possible, unless you DDOS my firewall :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWTeCTAAoJEC9nKukRsfY+DagQANH+B/DXl320i+hBl8R8v/Bs
GMDJLiWIxY8jjCoXlVdnOLoSY5lHUvnRQ+fMYiaTgskj+owYWYr9vVUZ3UPAKOQE
kJk4czgbqyt/K7ezIxMd8QwOZNHiLHIvWEYdybKx9AExBwYh1dSnx6dHNnBYE/ns
fViZ+K8M3p/EdZZmt/ToZ6AbxVs5UcrC0oGdkYtPH7s0gkGXmVM4IX5PJlJ8Pj3P
ixcV7v9i+Fxx/lAhd3Q476ZHEAP5Dy3G6u6Cb83phKUNfaGxB9eeEvOBYI+1WB2O
8lHxwozHip5UlembMT79uW11FVNybNbwFWBF+U7VZdpgqjb1525gTRJCj+Tong5x
q6Nztea8IOhhuJIkMOPTah5bsy3Mn4IR4IvsiL/SZ/OHF5ZflO9e4PHEeUZLd5Xj
5H4/J3pW04U7xB1kdS7WOjkohOnMdc3HvdeYQmsDCXKAty5WFhUjl5x1FhXbcsEU
GOMG/utCIAOHItD6MG1sF+s4LhdCMkLddiPcpIVs2EX3BhrfmDbOCYq40A0EDE6T
+Da5C8VC77e9QDT+9w5pOaxEYKw5A2iT5qhHjiSeJx8glYy6Lmz6hSuaWz4AaLu+
gmDwr2ETa0vFF8ai8O66n1p20sLiF4V6gNtIu7DQin/wP7AdVzXNsXBRcu2ZtpGo
6HDXjsf58EftkwtkakpI
=9ysy
-----END PGP SIGNATURE-----
