• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

How to encrypt your website traffic - Free SSL Cert

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
176
Solutions
7
Reaction score
209
How to make your website secure
Since I see lot's of OTS' websites without usage of TLS/SSL, meaning on those websites your loginname, email and password are transfered in plaintext, readable for anyone, here a small tutorial on how easy it is to encrypt your website.

TLS, or commonly known as SSL, Certificates ensure a secure connection between your webserver and clients visiting your website and encrypt the traffic. Most of you might know it as "https".

TLS connections use the port 443 while unsecure connections run via the port 80.
So in order to use TLS you need to open port 80 as well as port 443.
Do so by using either ufw, iptables or the firewall you prefer the most.
We will redirect port 80 to port 443, but later more on that.

Please be aware that all examples are made using a linux machine with nginx as webserver.
If you are using a different OS or webserver, please google for the equivalent modifications.


We are going to use certificates by Let's Encrypt since they are free, has a high level of security and is trusted by all browsers.
First we need to install certbot, which is the software that will generate a signed certificate for us.


Preperation

Ubuntu:

Bash:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot


Debian:
Bash:
sudo apt-get update
sudo apt-get install certbot



Generating the Certificate
Now we will generate the certificate, to do so we will need to stop the webserver for a moment.
Bash:
sudo service nginx stop
sudo certbot certonly


Now choose the option "Spin up a temporary webserver" by hitting the accoring number and press enter.
Simply follow the instructions.
Enter your E-Mail address and hit enter.
Hit A and enter to agree to the ToS.
Next it will ask you if you are willing to share your email to send you news. You might as well say No to that.
Now you can enter the domains you want a certificate for. You can enter multiple domains. But they all need to be hosted on the server you are on.
For example otland.net

Congratulations, you've got your first certificate. It will be stored in /etc/letsencrypt/live/otland.net

The certificate will be valid for 90days. So you need to renew it. But later more on that.

You will need to make an certificate for the domain as well as all used subdomains, or if you like you can also make a wildcard certificate, which counts for all your subdomains as well, but you will get a challenge in order to proove that you actually have control over the dns entries.

When you are done run your webserver again
Bash:
sudo service nginx start


Adding additional protection
Next we are going to create a strong DH (Diffie-Hellman) group to further improve the security.
Bash:
sudo apt-get update
sudo apt-get install openssl
openssl dhparam -out /etc/nginx/dhparam.pem 4096


Configurating the webserver
Now we are configurating the webserver so that he uses not only the certificate but the best practice.
Bash:
sudo nano /etc/nginx/sites-enables/otland

This is just an example! Do not simply copy the whole config but adapt it (location, root and index) to yours!

Bash:
server {
   listen       *:80;
   server_name  otland.net;
   return 301 https://$server_name$request_uri; # Redirects and forces https on port 443
}

server {
   listen         443 ssl;
   server_name   otland.net;
   ssl_certificate    /etc/letsencrypt/live/otland.net/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/otland.net/privkey.pem;
   ssl_protocols TLSv1.2 TLSv1.3; # If you are using a nginx version <1.13 remove TLSv1.3
   ssl_prefer_server_ciphers on;
   ssl_dhparam /etc/nginx/dhparam.pem;
   ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
   ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
   ssl_session_timeout  10m;
   ssl_session_cache shared:SSL:10m;
   ssl_session_tickets off; # Requires nginx >= 1.5.9
   ssl_stapling on; # Requires nginx >= 1.3.7
   ssl_stapling_verify on; # Requires nginx => 1.3.7
   resolver 8.8.8.8 8.8.4.4 valid=300s;
   resolver_timeout 5s;
   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
   add_header X-Frame-Options DENY;
   add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";

   root                /var/www/otland;

   index index.html;

   location \ {

      try_files $uri =404;

   }

}

Save and quit.

Now test your configuration using
Bash:
sudo nginx -t

If everything is fine, you can reload the webserver
Bash:
sudo service nginx reload


Renew the certificate
You can test the renew by
Bash:
sudo service nginx stop
sudo certbot renew --dry-run
sudo service nginx start

Of course to actually do it, you leave out the --dry-run

You can also make an automatic renew using certbot-auto. But that is not part of this topic, so please google that :)


Adding a CAA DNS record
A CAA DNS record is an entry that specifies which certificate authorities are allowed to issue certificates for your domain.

Not every domain provider supports it yet, so check if yours does.
Simply add the entry

otland.net. CAA 0 issue "letsencrypt.org"


I hope this helps making the OT Community a little more secure and avoids the stealing of passwords.
 
Last edited:
Small addition:
To test your configuration you can use this website: ssllabs.com

With this configuration you should easily get an A+ :)
 
Small addition:
To test your configuration you can use this website: ssllabs.com

With this configuration you should easily get an A+ :)


Wow very nice, didn't knew it could be free.. some devs tried to fool me with some BS costs...
It kinda works... All websites gets redirected to https... but it only shows:

"
403 Forbidden

nginx/1.14.0 (Ubuntu)
"

Sup?
 
Does your www-data user have access to all files needed, including the tls keys?
And did you configure the path correctly?
And have you tried a different browser? The problem with this configuration is that very old devices and browsers will not be able to connect anymore since they cannot handle the protocol.
 
Does your www-data user have access to all files needed, including the tls keys?
And did you configure the path correctly?
And have you tried a different browser? The problem with this configuration is that very old devices and browsers will not be able to connect anymore since they cannot handle the protocol.

As far as i know i haven't made any errors... Got discord by any chance?
I guess it would make stuff a lot easier.
 
Please note that you should not simply copy the configuration but adapt yours on the additions in my example.
 
There is no security on windows.
There is but it will be depended on which service you are using for hosting.
Platform does not matter. If its for local hosting trough xampp for example there is plenty of tutorial that explain you how to install an ssl certificate.

@Merrok It's nice of you to guide people around security. But people should first understand SSL and then practice it.
Nice work anyway!
 
There is but it will be depended on which service you are using for hosting.
Platform does not matter. If its for local hosting trough xampp for example there is plenty of tutorial that explain you how to install an ssl certificate.
No there isn't. You cannot emulate security of a linux/Unix environment on any windows platform. Including any version of Windows Server.
Xampp and any application thats runs off of Microsoft software is a big fat joke on a It's users right down to its supportive partition.

And xampp isn't meant for serious back-end development let alone production.
 
COULD YOU ADD TUTORIAL FOR WINDOWS? GREAT CONTRIBUTION
I can look into that, but for better performance a OT should run on a linux distribution anyways. Although Windows has it's advantages. But I'm not very familiar with Windows Servers.

There is no security on windows.
Thats not true. I've never worked with a Windows Server but the normal Windows OS is actually alot more secure than any linux distribution.

@Merrok It's nice of you to guide people around security. But people should first understand SSL and then practice it.
Nice work anyway!
Thank you, I explained it a little bit here and little more in my other thread about Cryptography. Maybe you are right, but TLS in it's whole is quite complicated and understanding the basics and how to practice it should be enough to use it. And everyone should use it!

Xampp and any application thats runs off of Microsoft software is a big fat joke on a It's users right down to its supportive partition.

And xampp isn't meant for serious back-end development let alone production.
That is true. Using xampp is unnecessary and especailly services like phpmyadmin are a risk by itself.
 
Thats not true. I've never worked with a Windows Server but the normal Windows OS is actually alot more secure than any linux distribution.
Either you're trolling or you're very naive. If Windows was more secure than Linux/Unix then the world would not being using linux/unix on most of it's own sensitive infrastructure.
 
This is not a discussion thread about topics like Windows vs Linux. Let's please not continue that here.
 
thanks you a lot
I can look into that, but for better performance a OT should run on a linux distribution anyways. Although Windows has it's advantages. But I'm not very familiar with Windows Servers.


Thats not true. I've never worked with a Windows Server but the normal Windows OS is actually alot more secure than any linux distribution.


Thank you, I explained it a little bit here and little more in my other thread about Cryptography. Maybe you are right, but TLS in it's whole is quite complicated and understanding the basics and how to practice it should be enough to use it. And everyone should use it!


That is true. Using xampp is unnecessary and especailly services like phpmyadmin are a risk by itself.
 
Are you trying to imply something?
No, just posted what i found myself. not complaining or even going aginst him. from there you can choose other things than Nginx/other systems, just thought that would help others thats not using Ubuntu or Debian as an example. "Im using" Nginx "On System" Mac OS.
 
A small addition worth mentioning, which I will also use to bump the thread now since it is important after all:
Since the GDPR in Europe, you are obligated to encrypt your website traffic if you are transferring any kind of personal data. That includes not just your users name or date of birth but also their e-mail addresses.
So besides the advantage of encrypting any passwords transferred so that noone is able to read it and "hack" your users, you also have to do this by law if you are hosting in Europe.
 
Back
Top