Una prueba de seguridad SSLLabs de nuestro sitio dice que es vulnerable a POODLE . Este tutorial me dijo que debería desactiva SSL3. Pero cuando revisé nuestro archivo nginx .conf para el sitio web SSL3 ya estaba apagado. ¿Qué está pasando?
# Installed by APT
# serves static files, and passes 404 image requests onto PHP
upstream backend_rental {
server unix:/srv/rental/tmp/php.sock;
}
# force ekaya.co calls to ekaya.com
server {
server_name ekaya.co;
listen 80;
listen 443;
ssl on;
ssl_certificate /etc/ssl/local/ekaya.co.crt;
ssl_certificate_key /etc/ssl/local/ekaya.co.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
rewrite ^ https://ekaya.com$request_uri? permanent;
}
server {
server_name ekaya.com ekaya.rental qa.ekaya.volk.co.za;
listen 80;
listen 443;
ssl on;
# ssl_certificate /etc/ssl/local/ekaya.com.crt;
# ssl_certificate_key /etc/ssl/local/ekaya.com.key;
ssl_certificate /etc/letsencrypt/live/ekaya.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ekaya.com/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
root /srv/rental/public;
index index.html index.php;
access_log /var/log/nginx/ekaya.access.log combined;
error_log /var/log/nginx/ekaya.error.log;
# Nginx status
location /nginx_stub_status {
# copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
stub_status on;
access_log off;
allow 127.0.0.1;
allow 196.201.6.140;
deny all;
}
# PHP-FPM status
location /php_status {
access_log off;
allow 127.0.0.1;
allow 196.201.6.140;
deny all;
include fastcgi_params;
fastcgi_pass backend_rental;
}
# set expiration of assets to MAX for caching
location ~* \.(ico|css|js|gif|jpe?g|png)(\?[0-9]+)?$ {
expires max;
}
location / {
# Check if a file exists, or route it to index.php.
try_files $uri $uri/ /index.php?$query_string;
}
location ~* \.php$ {
fastcgi_pass backend_rental;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}