nginx_apache POODLE attack vulnerability.

ilan

Verified User
Joined
Feb 5, 2004
Messages
48
Location
Mexico City
Hi,

I though DirectAdmin had addressed the POODLE attack vulnerability a long time a go, but I just setup a server with apache and nginx as reverse proxy using custombuild 2.0, and at the ssllabs.com ssl test I'm receiving a Grade C because of the POODLE attack vulnerability.

I tried using the https://mozilla.github.io/server-side-tls/ssl-config-generator/ but I placed the recommended values in a few config files and there is no change, clearly I'm not adding the changes in the correct files, does someone know whats the correct template to add the values?

My system has:
CentOS Linux release 7.3
Apache 2.4.25
nginx 2.2.15
OpenSSL 1.0.1e

In the options.conf of custombuild 2.0 (rev: 1642) I have:
webserver=nginx_apache

inside the custombuild directory I updated the recomponed protocols and ciphers at the following files:
Code:
custom/nginx/conf/nginx-defaults.conf
custom/nginx/conf/nginx-vhosts.conf
custom/nginx_reverse/conf/nginx-defaults.conf
custom/nginx_reverse/conf/nginx-vhosts.conf

and then did a ./build rewrite_confs

And these are the recommended values for my setup using modern profile at mozilla.github.io :

Code:
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

Thanks
 
Hello,

Where did you get nginx 2.2.15 ?

For those ciphers to work you need to build NGINX against at least OpenSSL 1.1.0. And Directadmin does not install OpenSSL for you.
 
Sorry for that, no idea where did I pasted that number form...

I have nginx ver: 1.10.1

and I just reviewed the rest of the info and it's Ok including the recommended protocols and cipher list.

So any ideas or suggestions?

Thanks
 
So that's exactly the question, when using nginx_apache on custombuild 2.0, what is the correct file to place the updated protocols to do a: ./build rewrite_confs

As mentioned in the begging of the post I added to:

Code:
custom/nginx/conf/nginx-defaults.conf
custom/nginx/conf/nginx-vhosts.conf
custom/nginx_reverse/conf/nginx-defaults.conf
custom/nginx_reverse/conf/nginx-vhosts.conf

but it seems that none of those worked, my changes are not reflected on the websites.

So does anyone know when using nginx_apache which are the configuration files being used?

Regards
 
With nginx+apache custom directories for configs:

/usr/local/directadmin/custombuild/custom/nginx_reverse/*
/usr/local/directadmin/data/templates/custom/nginx_server*.conf

How can it be possible that you are proxying requests via another 3rd party services?

What is your domain name?
 
I'm sorry for wasting your time, I was testing and trying to fix in the wrong server.

The host I was trying to fix is: imagenes.lacocinademama.net

but inadvertently I was testing the main domain which is on a different server... so I did fix (probably right away on my first try) the problem, just that I kept testing the wrong server...

Well at least now everyone knows what are the correct files to change on a nginx_apache configuration, thanks and sorry again Alex!
 
Back
Top