It’s been some time since I’ve done a good ol’ infrastructure post, and the Bigdinosaur.org web stack has evolved a bit over the course of 2018. We’re still using HAProxy, Varnish, and Nginx, but the way these applications connect and how they communicate is very different from my 2017-era config. Let’s dive in!
A few comments from a TLS pedant:
- I prefer setting explicit cipher suites instead of including and excluding algorithms piecemeal so you know exactly what you’re getting. In other words, avoid using
!and just list the cipher suites.
- Forget about DHE. It’s removed from Chrome, hidden behind a fallback in Safari, and it will be removed from Firefox soon (there’s a confirmed bug report about removing it). Bonus: you don’t need to generate a dhparam file anymore.
- How about shiny new stuff like Chacha20, X25519, and TLSv1.3? You mentioned using Ubuntu 16.04 so you probably can’t use them, but at least they deserve a mention in the article text.
For the record, this is my nginx configuration:
ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA'; ssl_ecdh_curve X25519:P-256:P-384;
Excellent points all. The version of HAProxy I’m using is from the Debian maintainers’ PPA and it’s unfortunately built with OpenSSL 1.0.2g; I’d rather not compile HAProxy myself with 1.1.1 because I very much prefer sticking to repos for my major infrastructure applications (just feels better to have another set of eyes on the build configuration).
The production config as-is still scores an A+ on SSL Labs’ test, but I’ll definitely be evolving it as time moves on.