Modifying nginx parameters

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
eepstein333
Posts: 4
Joined: Sun May 22, 2016 3:21 am

Modifying nginx parameters

Postby eepstein333 » Sun May 22, 2016 3:36 am

Hi,

I have a working setup with 1 proxy and 2 backend zcs servers. All are 8.6.0_GA_1153.FOSS. I've got through pretty much everything I needed to start using Letsencrypt, but I still can't get above a B for the SSL testing with weak DH params (amongst other problems). On the proxy I could modify template files (i think) to add the HSTS header and use a stronger dhparams file. That being said, it ignores the HSTS header, and just uses the dhparams. I understand the backend servers are not running nginx? If so, where may I add these parameters?

Code: Select all

add_header Strict-Transport-Security "max-age=15768000" always;
ssl_dhparam /etc/letsencrypt/live/example.domain.com/dhparams.pem;


Overriding the ciphers would also be nice as I don't see an easy way to do that with zmprov that "just works". It's not easy to specify the approved ciphers, and many attempts to block RC4 met with no success. The proxy was the only one I was able to suppress RC4 on, and all attempts to suppress it on the backend servers fail.

Code: Select all

zmprov mcf +zimbraSSLExcludedCipherSuites RC4
zmprov mcf +zimbraSSLExcludedCipherSuites '!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'


Any advice to get these parameters working is appreciated.


liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 914
Joined: Sat Sep 13, 2014 12:47 am

Re: Modifying nginx parameters

Postby liverpoolfcfan » Mon May 23, 2016 4:01 pm

You can use zmprov mcf zimbraReverseProxySSLCiphers to modify the nginx cipher list.

Have you reviewed the following wiki article https://wiki.zimbra.com/wiki/How_to_obtain_an_A%2B_in_the_Qualys_SSL_Labs_Security_Test
eepstein333
Posts: 4
Joined: Sun May 22, 2016 3:21 am

Re: Modifying nginx parameters

Postby eepstein333 » Mon May 23, 2016 6:50 pm

I haven't seen that document yet, but the reverse SSL proxy settings only works on the proxy, and not the backend servers. I've found precious few settings with zmprov desc and grepping zmlocalconfig. I've already used that setting and found it has no effect when rerunning the SSL checker at Qualys SSL Labs. Getting rid of RC4 on the proxy required zimbraSSLExcludedCipherSuites.

I'll attempt the instructions in that document, but where are the runtime configuration files stored on disk so that I can verify settings that zmprov and others are allegedly setting for me? At some point the configuration has to leave Zimbra in the form of working nginx configuration files?
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 914
Joined: Sat Sep 13, 2014 12:47 am

Re: Modifying nginx parameters

Postby liverpoolfcfan » Mon May 23, 2016 7:56 pm

It sounds like you might be running into th issue I had when I first tried to follow that document. You may have the proxy installed but not enabled.

If you have upgraded from an earlier zimbra release to zimbra 8.6 the proxy will have been installed and started but it will not be in front of the web server. You have to manually enable the proxy server for it to become active. This switches the ports that everything is listening on.

Check this document https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy
eepstein333
Posts: 4
Joined: Sun May 22, 2016 3:21 am

Re: Modifying nginx parameters

Postby eepstein333 » Mon May 23, 2016 9:21 pm

I already had the proxy enabled and running just fine. My setup involves one server dedicated to just the proxy service, and two backend servers which host the accounts/smtpd/etc. These were secured with SSL certificates from Namecheap during the last year without any major issues, and that included subdomains for virtuals.

I did make quite a bit of progress in the last few hours, but I now have some issues to fix.

DHParams: (working)

As I'm not on ZCS 8.7 yet, I generated the DH primes as indicated by the document for 8.6 instead, and placed its file in the correct place. That is now working, but I still doubt it had anything to do with the template files, but more to do with the placement of the file and its permissions. File cannot be generated by user zimbra (openssl error during generation) so it required 'chown zimbra:zimbra /opt/zimbra/conf/dhparams.pem'. My dhparams line was exactly the same except for the file location and permissions in the HTTPs templates.

My issue is that no matter what, the runtime configurations were not changing at all, and none of my directives were effected during SSL testing. On the proxy, it seems to be a lot more responsive to changes in the nginx template files (/opt/zimbra/conf/nginx/templates). However, the backend servers completely ignore it as they're not running nginx apparently (the includes directory is never populated with files). At the very least, they don't utilize the template files (no changes are effected), or somehow the majority of all of the directives are just flat ignored. I've put some of them in the very root of the configuration before all other includes, and still no go on any changes being effected which goes against how I understand nginx configuration files to work. The only thing I was missing myself was placing these directives before an include in the server section in specific template files, otherwise my own attempts closely match the document.

I think the dhparams.pem file needs to be generated with specific permissions and ownership.

HSTS: (not working)

I think the only command that may have worked is the zmprov mcf +zimbraResponseHeader. Instead of having no HSTS policy, I now have TWO policies :)
Now I would like to know how to remove one of the policies....

Modifications were made correctly, according to the document, for the HTTPS template files. Grepping /opt/zimbra shows me that only these two files have 'add_header "Strict-Transport-Security"'. That being said, I somehow have two HSTS policies coming back in the browser:

Code: Select all

max-age=15768000; includeSubDomains, max-age=31536000; includeSubDomains;


Ciphers: (too few!)

Also, I may have been too ambitious about the ciphers, as I have 4 ciphers left without server ordering being honored after using the zimbraSSLExcludedCiphers. I'm afraid that not very many client devices will be able to negotiate with those 4 ciphers. :roll:
How to get that set back to defaults would be nice, so I can attempt to pare down the ciphers again.

    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH sect571r1 (eq. 15360 bits RSA) FS 112
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH sect571r1 (eq. 15360 bits RSA) FS 128
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH sect571r1 (eq. 15360 bits RSA) FS 128
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH sect571r1 (eq. 15360 bits RSA) FS 128

OCSP Stapling: (not supported in 8.6)

As an aside, OCSP stapling is not supported on 8.6 as the version of nginx running seems to be insufficient to understand those directives. Is the nginx version in 8.7 sufficient to enabling OCSP stapling?

Thanks for linking to that document, I now have at least A's for my testing! :D
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 914
Joined: Sat Sep 13, 2014 12:47 am

Re: Modifying nginx parameters

Postby liverpoolfcfan » Mon May 30, 2016 1:17 pm

If you run zmprov gacf | grep SSLExclude you should be able to see all the ones you have excluded. You can then capture that output and create a script file to run zmprov repeatedly to un-exclude them.

This is the set I have on my 8.6 server. You can use that as a reference for the ones not to un-exclude.

[zimbra@mail ~]$ zmprov gacf | grep SSLExclude
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA
[zimbra@mail ~]$
eepstein333
Posts: 4
Joined: Sun May 22, 2016 3:21 am

Re: Modifying nginx parameters

Postby eepstein333 » Tue May 31, 2016 7:46 pm

You can then capture that output and create a script file to run zmprov repeatedly to un-exclude them.


What is the syntax for un-excluding them?
tib
Posts: 4
Joined: Wed Aug 08, 2018 1:54 pm

Re: Modifying nginx parameters

Postby tib » Thu Aug 09, 2018 7:12 am

This proplem is relevant for me too. I have 2 different zimbraResponseHeaders on 8.8.9_GA_3006.FOSS, and have no idea, how i can delete any of that. In 8.6 and early there are was two files to edit to enable HSTS:
"/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template" and "/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template", in 8.7 and later we have only one way to do this:
"zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"", and when i did "grep -r -s Strict-Transport-Security /opt/zimbra" i have this:
"Binary file /opt/zimbra/data/ldap/mdb/db/data.mdb matches
/opt/zimbra/.bash_history:zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
/opt/zimbra/.bash_history:zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload""
What syntax to delete unwanted header "Strict-Transport-Security: max-age=31536000"?
phoenix
Ambassador
Ambassador
Posts: 25718
Joined: Fri Sep 12, 2014 9:56 pm

Re: Modifying nginx parameters

Postby phoenix » Thu Aug 09, 2018 8:23 am

tib wrote:This proplem is relevant for me too. I have 2 different zimbraResponseHeaders on 8.8.9_GA_3006.FOSS, and have no idea, how i can delete any of that. In 8.6 and early there are was two files to edit to enable HSTS:
Did you look at any of the wiki articles on improving ZCS Security (including HSTS), if not I'd suggest you do that first.

BTW, in future, do not add your questions to old threads especially ones like this. You should do some research before posting and if you find nothing to answer your question then post your question in a suitable forum as a new thread.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
tib
Posts: 4
Joined: Wed Aug 08, 2018 1:54 pm

Re: Modifying nginx parameters

Postby tib » Thu Aug 09, 2018 2:27 pm

phoenix wrote:
tib wrote:This proplem is relevant for me too. I have 2 different zimbraResponseHeaders on 8.8.9_GA_3006.FOSS, and have no idea, how i can delete any of that. In 8.6 and early there are was two files to edit to enable HSTS:
Did you look at any of the wiki articles on improving ZCS Security (including HSTS), if not I'd suggest you do that first.

BTW, in future, do not add your questions to old threads especially ones like this. You should do some research before posting and if you find nothing to answer your question then post your question in a suitable forum as a new thread.


Ok, i'm sorry, but i haven't find answer for issue in this thread that is very similar to my problem, because of that i decided to reply my answer here. Now i have solved this problem for me by executing "zmprov mcf -zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"", that removes header "Strict-Transport-Security: max-age=31536000" from config.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 26 guests