An updated look at the BigDino web stack


#1

It’s been some time since I’ve done a good ol’ infrastructure post, and the Bigdinosaur.org web stack has evolved a bit over the course of 2018. We’re still using HAProxy, Varnish, and Nginx, but the way these applications connect and how they communicate is very different from my 2017-era config. Let’s dive in!

Read the rest of this blog entry…


#2
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

A few comments from a TLS pedant:

  1. I prefer setting explicit cipher suites instead of including and excluding algorithms piecemeal so you know exactly what you’re getting. In other words, avoid using + and ! and just list the cipher suites.
  2. Forget about DHE. It’s removed from Chrome, hidden behind a fallback in Safari, and it will be removed from Firefox soon (there’s a confirmed bug report about removing it). Bonus: you don’t need to generate a dhparam file anymore.
  3. How about shiny new stuff like Chacha20, X25519, and TLSv1.3? You mentioned using Ubuntu 16.04 so you probably can’t use them, but at least they deserve a mention in the article text.

For the record, this is my nginx configuration:

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA';
ssl_ecdh_curve X25519:P-256:P-384;

#3

Excellent points all. The version of HAProxy I’m using is from the Debian maintainers’ PPA and it’s unfortunately built with OpenSSL 1.0.2g; I’d rather not compile HAProxy myself with 1.1.1 because I very much prefer sticking to repos for my major infrastructure applications (just feels better to have another set of eyes on the build configuration).

The production config as-is still scores an A+ on SSL Labs’ test, but I’ll definitely be evolving it as time moves on.