Thanks Douglas for all your work here, it's been really helpful. On Tue, Feb 9, 2016 at 9:31 PM, Douglas Kastle <douglas.kas...@gmail.com> wrote:
> Hi All > > I have been looking at the default security setup from the project > template file in Mezzanine. This has come out of my investigation of using > letsencrypt > <https://letsencrypt.org/>certificates and switch whole website over to https > everywhere <https://www.eff.org/https-everywhere%20>, by default, which > BTW I have working. If any body is interested in that attempt I will > detail it in another post. This post is to capture some bug fixes and > improvements on the base system that I came across during that effort. > > I love the default project setup and fabric deploy, however if I have a > complaint it is how does one track fixes after you've initially created > that first default project. I don't have any good solution myself, I'd be > curious to hear if any body has a good technique. > When dealing with configuration files that are expected to be modified per project, I really don't think the path we've taken here should be any different. The only alternative would be to develop some kind of tool that phones home, checks for updates, and analyzes individual files to try and ascertain whether an upgrade is needed. Given that these files are expected to have been modified by developers, this process would be prone to failure in an infinite number of ways and in my opinion would be well beyond the scope of the software we're building here. At some point, developers and administrators needs to take ownership of their deployed project, and that includes subscribing to relevant mailing lists and keeping up to date with the information broadcast. The best we can do is keep the base files as up to date as possible, and communicate appropriately. > However I found two bugs/fixes that need to go into the project/nginx.conf > file that any existing website using mezzanine should verify is actually in > their deployed website on the server. I have submitted these changes into > the git repository and any future projects created with the default scripts > should have these fixes from day one. However existing websites may need to > be hand edited, I feel what is detailed below will be enough for any body > to to that. > > I have been using this website to do a security review of my default file: > > https://www.ssllabs.com/ssltest/analyze.html > > And it flagged the following warnings with the default project > > *Remove SSL3 support from nginx.conf.template* #1525 > <https://github.com/stephenmcd/mezzanine/issues/1525> > > It flagged that SSL3 was a major weakness due to the POODLE attack: > > > > https://blog.qualys.com/ssllabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack > > > And recommends disabling SSL3 in future installs. This can be achieved by > adding this line to nginx.conf (and also the template): > > %(ssl_disabled)s ssl_protocols TLSv1.2 TLSv1.1 TLSv1; > > > > *Default settings are susceptible to weak DH/logjam attack on SSL* #1528 > <https://github.com/stephenmcd/mezzanine/issues/1528> > > I also got this warning: > > This server supports weak Diffie-Hellman (DH) key exchange parameters > > This is as a result of weak keys being used for the DH key exchange and is > what is responsible for the Logjam attack: > > https://weakdh.org/ > https://en.wikipedia.org/wiki/Logjam_(computer_security) > > The details of the fix to a server are captured here: > > > https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/ > > For me I added this extra line to the nginx.conf file (and the tmeplate > file): > > %(ssl_disabled)s ssl_dhparam /etc/ssl/private/dhparams.pem; > > And added this extra task to the fabfile, and called the task out > independently of install or deploy. This piece of code is to be merged into > the location where the keys for the server are generated. The final > upload_template_and_reload can probably be removed, it was just required as > a function the task, dh, being on its own. > > @task > @log_call > def dh(): > ssl_private = "/etc/ssl/private" > if not exists(ssl_private): > sudo("mkdir -p %s" % ssl_private) > sudo("chmod 710 %s" % ssl_private) > dh_file = ssl_private + "/dhparams.pem" > if not exists(dh_file, use_sudo=True): > sudo("openssl dhparam -out %s 2048" % dh_file) > sudo("chmod 600 %s" % dh_file) > > for name in get_templates(): > upload_template_and_reload(name) > > > This is the temporary fix required to help get exiting websites up to date > and playing well. > > > > -- > You received this message because you are subscribed to the Google Groups > "Mezzanine Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to mezzanine-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Stephen McDonald http://jupo.org -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to mezzanine-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
