Showing 12 Result(s)
NGINX SSL Ciphers

NGINX SSL Ciphers

With browsers such as Google Chrome and Mozilla Firefox forcing websites to use better ciphers, along with websites such as PayPal no longer support older versions of TLS it’s time to update your NGINX installations with the latest version of OpenSSL (TLS 1.2+) and set some decent ciphers.

I’m finding the following cipher set are passing tests such as SSL Labs and CryptoReport – this could change in the future.

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA;

Add those to your NGINX configuration files (usually in /etc/nginx/conf.d/ on CentOS), and restart NGINX.

Please be aware at the time of writing this article, the ciphers in the list were passing SSL tests, however as these requirements change and new exploits are released, this may change. I’ll try to update the blog with any such changes.

At the time of writing, the ciphers were secure against the following vulnerabilities:

  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME
OpenVZ IO Limits

OpenVZ IO Limits

OpenVZ has had IO limits for years, but I’ve never really had opportunity to implement them, especially with SSD disks becoming cheaper and the standard.

However in some cases implementing IO Limits on your OpenVZ VMs can be a good practice. Especially on Database servers (High usage MySQL/MariaDB) or Mail servers (Exim on cPanel can be an IO hog at times).

Depending on your disks, and how many OpenVZ containers live on your host, you may wish to adjust the following to better suited values.

vzctl set 100 --iolimit 10M --save

10MB/s seems to be the perfect value for my requirements. It doesn’t over limit IO usage, but if a VM is behaving badly, it limits the impact on the other VMs. IO Limiting effects both read and write, and there is also an option to allow bursts of up to 3x.

Requirements:

  • Kernel Version: 2.6.32-042stab084.3 or higher
  • VZCTL Version: 4.6 or higher

Further information can be found on the OpenVZ Wiki.