David Yin's Blog

Currently Viewing Posts Tagged config

How to get a perfect SSL Labs score

August 11, 2018
0 Comments

It is easy to get an A+ on your website. But it is a little bit hard to make a 4 parts, Certificate, Protocol Support, Key Exchange, and Cipher Strength, to be 100%.

Most of time, I got A+ rating of my site. For individual scores, the last two are 90%.

Let me break down.

Certificate

It is preaty easy to get 100% here.

  • Make sure your certificate and intermediate certificate and CA are in the correct order.
  • Don’t use SHA1 for the signature algorithm. Use SHA256 instead. Actually all main CA are using SHA256 now.
  • Use a trusted CA. Do not use WoSign, StartCom.

Protocol Support

  • SSL 2.0 0%
  • SSL 3.0 80%
  • TLS 1.0 90%
  • TLS 1.1 95%
  • TLS 1.2 100%

So it is best to just use TLS 1.2.

 

Key Exchange

Make a strong DHE (Ephemeral Diffie-Hellman) paramaaters.

openssldhparam -out /etc/nginx/ssl/dhparam.pem 4096

It is not enough. Add following into Nginx settings.

ssl_ecdh_curve secp384r1;

Cipher Strength

  • 0 bits (no encryption) 0%
  • < 128 bits (e.g., 40, 56) 20%
  • < 256 bits (e.g., 128, 168) 80%
  • >= 256 bits (e.g., 256) 100%

So I just use 256 bit cipher suites.

 

Here is a test site, I tried it today, 2018-08-11. It is A+ with four 100% scores.

Here is the most important part of Nginx config file. I put them all together.

ssl_certificate /etc/nginx/ssl/whovpn.com/fullchain;
ssl_certificate_key /etc/nginx/ssl/whovpn.com/key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384';
ssl_prefer_server_ciphers on;

ssl_ecdh_curve secp384r1;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

 

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/whovpn.com/fullchain;

resolver 8.8.8.8;

Prepare CentOS 6.3 within VirtualBox

October 24, 2012
0 Comments

For testing purpose, I need a CentOS 6.3. So I download CentOS DVD image. Installed it in VirtualBox as web server.
Note: The network of guest system is using bridged, which allow the guest access internet, and also allow the computer in Lan can access the guest system.
The installation is simple, no problem. I would like to share my experience I met later.
1) Prepare the network
Only lo, or loopback is active. I can not access Internet from the CentOS.
eth0 is not showing when I run ifconfig command.

Continue reading “Prepare CentOS 6.3 within VirtualBox”

Setup dual monitor for desktop

September 9, 2012
0 Comments

I have two monitor. Both are Acer. One is x223w, the other is AL1716.

Now I connected both of them to my computer. I have dual monitor working together side by side.

Left side is the main monitor, or monitor 1, through DVI port. The right monitor is monitor 2, or extended screen, through 15pin RGB port.

The effective of color are almost same.

dual-monitor

I worked most time on left side. Playing video, reading reference doc, etc, on the right side.

Continue reading “Setup dual monitor for desktop”

Protect Proftpd server by restricting IP address allowed

July 30, 2012
0 Comments

There are so many hackers or what ever name for them, want to login ftp server of my VPS server.
The one of the most simplest way is to deny all IP address except specific IP address.
The FTP server running on VPS is Proftpd.
To do the limitation, just edit /etc/proftpd.conf
Add the following in the end.

Order allow,deny
Allow from 96.49., 64.180., 24.81.
Deny from all

Continue reading “Protect Proftpd server by restricting IP address allowed”

Solved MySQL 5 – Incorrect integer value: ” for column ‘id’ at row 1

February 21, 2012
6 Comments

I move one site to a new server with Windows 2003.
It is a MySQL database. I use PHP script to connect the database file and query it.
I run the same script more than 5 years on the old server. After I move it to new one, it gives me the error as subject.
I did a lot of Googling. Found the answer at this blog(the link is not working any more), but now it is not available. So, I quoted the most important part from the Google Cached page.

This is an sql-mode issue, the mode defines what SQL syntax should be supported and what kind of data validation should be performed. In my problem MySQL is trying to assign an empty string to an auto-increment INT field and, as we should all know, strings into INTs don’t go. Cue errors and the script dies.
Longer term I am going to have to re-work my code to fix this issue, but in the short term, I am going to reduce the sensitivity of the control. To lower the level of data validation we can set the sql-mode to a lower level or comment it out altogether.

Solution is below:
Edit the my.cnf (my.ini in windows) file and find and comment out the line:
#sql-mode=”STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION”

Continue reading “Solved MySQL 5 – Incorrect integer value: ” for column ‘id’ at row 1″

OBi110 Voice Service Bridge and VoIP Telephone Adapter

January 29, 2012
10 Comments

It is a great product, I ordered OBi110 from Amazon.
The most great part is:
OBi110 can work with Google Voice.
The product is provided by Obihai.
To Setup it work with Google Voice, go to OBiTALK.
After setup, I can use this phone to call US or Canada phone for free.

Continue reading “OBi110 Voice Service Bridge and VoIP Telephone Adapter”

Disable your WiFi WPS, security vulnerability found

January 6, 2012
0 Comments

It is a big news yesterday.
WiFi WPS security vulnerability found, major router makers affected
Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard that attempts to allow easy establishment of a secure wireless home network, but has been shown to easily fall to brute-force attacks. vi wiki
The router affected including:
Belkin, Inc.
Buffalo Inc.
D-Link Systems, Inc.
Linksys
Netgear, Inc.
Technicolor
TP-Link
ZyXEL
So, disable your WiFi WPS first.

How to Disabling WPS on Belkin router
1. Open a web browser on the computer.
2. In the address bar of the web browser, type http://192.168.2.1
3. Click Login in the upper right-hand corner of the page. The router does not ship with a password, so just click Submit.
4. Click on Wi-Fi Protected Setup or WPS (depending on which router you own) under Wireless in the menu on the left.
5. Click on the drop-down menu at the top of the page and select Disabled.
6. Click the “Apply Changes” button.

Continue reading “Disable your WiFi WPS, security vulnerability found”

How to close Firefox windows without prompt

May 19, 2011
0 Comments

I have a batch file, to run the command and want to close it automatically.
Basically, I can use javascript to close it.
But it is always prompt that ask for Confirmation.
Actually I just want it run by schedule and close itself after finishing.
So, I use the Google BB (Big Buddha) to search it.
The final answer and only one answer is below.
The reason why the script is not working, is that Window is not opened by javascript. So it can not be closed by javascript automatically. It is simply concept. And the solution is also simply.

Continue reading “How to close Firefox windows without prompt”

WordPress Mobile Pack is great

February 16, 2010
0 Comments

Just bought a iPod Touch 32G edition. It has safari browser. I use it to browse one of my Blog powered by WordPress. The text and images are so small. I know I can enlarge them by two fingers, but it is still has width problem.
I thought it must be some plugin can do it to make a blog mobile.
I did a google search and find this one: WordPress Mobile Pack
I install it on the backend of WordPress.
Just a few clicks to config it and it works.
I went to my blog. WordPress detected my browser and knew it is from an hand held device. So it gave the mobile version of Blog.
It is perfect. I don’t need to setup an separated domain for mobile device. Just like some site named as m.example.com. The regular site domain is www.example.com.
The configuration steps as below.

Continue reading “WordPress Mobile Pack is great”

  • Archives