Merrok
Magic Tomato
- Joined
- Jun 18, 2009
- Messages
- 176
- Solutions
- 7
- Reaction score
- 209
How to make your website secure
Since I see lot's of OTS' websites without usage of TLS/SSL, meaning on those websites your loginname, email and password are transfered in plaintext, readable for anyone, here a small tutorial on how easy it is to encrypt your website.
TLS, or commonly known as SSL, Certificates ensure a secure connection between your webserver and clients visiting your website and encrypt the traffic. Most of you might know it as "https".
TLS connections use the port 443 while unsecure connections run via the port 80.
So in order to use TLS you need to open port 80 as well as port 443.
Do so by using either ufw, iptables or the firewall you prefer the most.
We will redirect port 80 to port 443, but later more on that.
Please be aware that all examples are made using a linux machine with nginx as webserver.
If you are using a different OS or webserver, please google for the equivalent modifications.
We are going to use certificates by Let's Encrypt since they are free, has a high level of security and is trusted by all browsers.
First we need to install certbot, which is the software that will generate a signed certificate for us.
Preperation
Ubuntu:
Debian:
Generating the Certificate
Now we will generate the certificate, to do so we will need to stop the webserver for a moment.
Now choose the option "Spin up a temporary webserver" by hitting the accoring number and press enter.
Simply follow the instructions.
Enter your E-Mail address and hit enter.
Hit A and enter to agree to the ToS.
Next it will ask you if you are willing to share your email to send you news. You might as well say No to that.
Now you can enter the domains you want a certificate for. You can enter multiple domains. But they all need to be hosted on the server you are on.
For example otland.net
Congratulations, you've got your first certificate. It will be stored in
The certificate will be valid for 90days. So you need to renew it. But later more on that.
You will need to make an certificate for the domain as well as all used subdomains, or if you like you can also make a wildcard certificate, which counts for all your subdomains as well, but you will get a challenge in order to proove that you actually have control over the dns entries.
When you are done run your webserver again
Adding additional protection
Next we are going to create a strong DH (Diffie-Hellman) group to further improve the security.
Configurating the webserver
Now we are configurating the webserver so that he uses not only the certificate but the best practice.
This is just an example! Do not simply copy the whole config but adapt it (location, root and index) to yours!
Save and quit.
Now test your configuration using
If everything is fine, you can reload the webserver
Renew the certificate
You can test the renew by
Of course to actually do it, you leave out the
You can also make an automatic renew using certbot-auto. But that is not part of this topic, so please google that
Adding a CAA DNS record
A CAA DNS record is an entry that specifies which certificate authorities are allowed to issue certificates for your domain.
Not every domain provider supports it yet, so check if yours does.
Simply add the entry
I hope this helps making the OT Community a little more secure and avoids the stealing of passwords.
Since I see lot's of OTS' websites without usage of TLS/SSL, meaning on those websites your loginname, email and password are transfered in plaintext, readable for anyone, here a small tutorial on how easy it is to encrypt your website.
TLS, or commonly known as SSL, Certificates ensure a secure connection between your webserver and clients visiting your website and encrypt the traffic. Most of you might know it as "https".
TLS connections use the port 443 while unsecure connections run via the port 80.
So in order to use TLS you need to open port 80 as well as port 443.
Do so by using either ufw, iptables or the firewall you prefer the most.
We will redirect port 80 to port 443, but later more on that.
Please be aware that all examples are made using a linux machine with nginx as webserver.
If you are using a different OS or webserver, please google for the equivalent modifications.
We are going to use certificates by Let's Encrypt since they are free, has a high level of security and is trusted by all browsers.
First we need to install certbot, which is the software that will generate a signed certificate for us.
Preperation
Ubuntu:
Bash:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
Debian:
Bash:
sudo apt-get update
sudo apt-get install certbot
Generating the Certificate
Now we will generate the certificate, to do so we will need to stop the webserver for a moment.
Bash:
sudo service nginx stop
sudo certbot certonly
Now choose the option "Spin up a temporary webserver" by hitting the accoring number and press enter.
Simply follow the instructions.
Enter your E-Mail address and hit enter.
Hit A and enter to agree to the ToS.
Next it will ask you if you are willing to share your email to send you news. You might as well say No to that.
Now you can enter the domains you want a certificate for. You can enter multiple domains. But they all need to be hosted on the server you are on.
For example otland.net
Congratulations, you've got your first certificate. It will be stored in
/etc/letsencrypt/live/otland.net
The certificate will be valid for 90days. So you need to renew it. But later more on that.
You will need to make an certificate for the domain as well as all used subdomains, or if you like you can also make a wildcard certificate, which counts for all your subdomains as well, but you will get a challenge in order to proove that you actually have control over the dns entries.
When you are done run your webserver again
Bash:
sudo service nginx start
Adding additional protection
Next we are going to create a strong DH (Diffie-Hellman) group to further improve the security.
Bash:
sudo apt-get update
sudo apt-get install openssl
openssl dhparam -out /etc/nginx/dhparam.pem 4096
Configurating the webserver
Now we are configurating the webserver so that he uses not only the certificate but the best practice.
Bash:
sudo nano /etc/nginx/sites-enables/otland
This is just an example! Do not simply copy the whole config but adapt it (location, root and index) to yours!
Bash:
server {
listen *:80;
server_name otland.net;
return 301 https://$server_name$request_uri; # Redirects and forces https on port 443
}
server {
listen 443 ssl;
server_name otland.net;
ssl_certificate /etc/letsencrypt/live/otland.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/otland.net/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; # If you are using a nginx version <1.13 remove TLSv1.3
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
root /var/www/otland;
index index.html;
location \ {
try_files $uri =404;
}
}
Save and quit.
Now test your configuration using
Bash:
sudo nginx -t
If everything is fine, you can reload the webserver
Bash:
sudo service nginx reload
Renew the certificate
You can test the renew by
Bash:
sudo service nginx stop
sudo certbot renew --dry-run
sudo service nginx start
Of course to actually do it, you leave out the
--dry-run
You can also make an automatic renew using certbot-auto. But that is not part of this topic, so please google that
Adding a CAA DNS record
A CAA DNS record is an entry that specifies which certificate authorities are allowed to issue certificates for your domain.
Not every domain provider supports it yet, so check if yours does.
Simply add the entry
otland.net. CAA 0 issue "letsencrypt.org"
I hope this helps making the OT Community a little more secure and avoids the stealing of passwords.
Last edited: