Welcome! Log In Create A New Profile

Advanced

security scores and TLS config

Posted by jstephens 
jstephens
security scores and TLS config
July 10, 2018 02:10PM
Hello,
With some experience in F5 and NetScaler world but still new to Nginx I have
been tasked with migrating 50+ public URLs to NGINX Plus configured as
keepalived HA pair. What would be best SSL configuration to achieve highest
security scores from Qaulys SSLLabs or BitSight ? Can someone recommend or
share current best SSL config ?

Alos, as for overall design what is an optimal design in such case ?
1. Single keepalived IP with server_name directives or separate IP for each
URL ? If separate IPs, do i have to list them in keepalived config ?
2. Is single SSL config file possible to share the same encryption settings
across all URLs ?

Obviously my goal here is to achieve high availability with A+ security
scores.

Any help will be highly appreciated.
Jay

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280475,280475#msg-280475

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Ray Cote
Re: security scores and TLS config
July 10, 2018 04:00PM
On Tue, Jul 10, 2018 at 8:07 AM, jstephens <[email protected]>
wrote:

> What would be best SSL configuration to achieve highest
> security scores from Qaulys SSLLabs or BitSight ? Can someone recommend or
> share current best SSL config ?
>

Recommend you start with the Mozilla TLS configuration page.
Mozilla Modern is the way to go (assuming all your clients use new enough
browsers).
https://wiki.mozilla.org/Security/Server_Side_TLS
--Ray
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Konovalov
Re: security scores and TLS config
July 10, 2018 06:00PM
Hi Jay,

On 10/07/2018 15:07, jstephens wrote:
> Hello,
> With some experience in F5 and NetScaler world but still new to Nginx I have
> been tasked with migrating 50+ public URLs to NGINX Plus configured as
> keepalived HA pair. What would be best SSL configuration to achieve highest
> security scores from Qaulys SSLLabs or BitSight ? Can someone recommend or
> share current best SSL config ?
>
> Alos, as for overall design what is an optimal design in such case ?
> 1. Single keepalived IP with server_name directives or separate IP for each
> URL ? If separate IPs, do i have to list them in keepalived config ?
> 2. Is single SSL config file possible to share the same encryption settings
> across all URLs ?
>
> Obviously my goal here is to achieve high availability with A+ security
> scores.
>
I'd suggest to reach nginx-plus support with your inquiry.

Thanks,

Maxim

--
Maxim Konovalov
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
jstephens
Re: security scores and TLS config
July 11, 2018 02:00AM
Thanks Ray, the SSL Configuration Generator looks really good and modern
config is what I was looking for, I guess.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280475,280487#msg-280487

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login