{"id":968,"date":"2012-04-28T10:03:16","date_gmt":"2012-04-28T15:03:16","guid":{"rendered":"http:\/\/rud.is\/b\/?p=968"},"modified":"2017-03-27T09:40:26","modified_gmt":"2017-03-27T14:40:26","slug":"slaying-the-beast-in-nginx","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/","title":{"rendered":"Slaying the BEAST in nginx"},"content":{"rendered":"

Just a quick post as I noticed that my nginx<\/code> configuration was vulnerable to the BEAST attack<\/a> thanks to the #spiffy SSL Certificate Tester<\/a> from Qualys<\/a> (I scored an “A”<\/a>, btw :-).<\/p>\n

The nginx docs<\/a> show how to do this, now, and it’s pretty simple (very similar to the Apache configuration, in fact):<\/p>\n

\r\nssl_ciphers RC4:HIGH:!aNULL:!MD5;\r\nssl_prefer_server_ciphers on;\r\n<\/pre>\n
Set it to prefer RC4 ciphers and \u2014 BOOM! \u2014 you’re done.<\/p>\n
Like many other system admins, I should have done this a long time ago. And, like many other system admins, I’ve got many other things going on. I let this slip (even though I’ve kept up on nginx<\/code> patches) and I shouldn’t have. Thankfully, this was a low risk item as the site doesn’t perform truly critical transactions.<\/p>\n
I definitely encourage folks to use the SSL Labs tool to help ensure you’ve got your site’s configuration up to snuff.<\/p>\n
Also, make sure to follow @ivanristic on Twitter if you care at all about web app security.<\/p>\n","protected":false},"excerpt":{"rendered":"
Just a quick post as I noticed that my nginx configuration was vulnerable to the BEAST attack thanks to the #spiffy SSL Certificate Tester from Qualys (I scored an “A”, btw :-). The nginx docs show how to do this, now, and it’s pretty simple (very similar to the Apache configuration, in fact): ssl_ciphers RC4:HIGH:!aNULL:!MD5; […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[60,3,25],"tags":[],"class_list":["post-968","post","type-post","status-publish","format-standard","hentry","category-certificates","category-information-security","category-threats"],"yoast_head":"\nSlaying the BEAST in nginx - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Slaying the BEAST in nginx - rud.is\" \/>\n<meta property=\"og:description\" content=\"Just a quick post as I noticed that my nginx configuration was vulnerable to the BEAST attack thanks to the #spiffy SSL Certificate Tester from Qualys (I scored an “A”, btw :-). The nginx docs show how to do this, now, and it’s pretty simple (very similar to the Apache configuration, in fact): ssl_ciphers RC4:HIGH:!aNULL:!MD5; […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2012-04-28T15:03:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-03-27T14:40:26+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Slaying the BEAST in nginx\",\"datePublished\":\"2012-04-28T15:03:16+00:00\",\"dateModified\":\"2017-03-27T14:40:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/\"},\"wordCount\":170,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"articleSection\":[\"Certificates\",\"Information Security\",\"Threats\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/\",\"url\":\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/\",\"name\":\"Slaying the BEAST in nginx - rud.is\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/#website\"},\"datePublished\":\"2012-04-28T15:03:16+00:00\",\"dateModified\":\"2017-03-27T14:40:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/rud.is\/b\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Slaying the BEAST in nginx\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/rud.is\/b\/#website\",\"url\":\"https:\/\/rud.is\/b\/\",\"name\":\"rud.is\",\"description\":\""In God we trust. All others must bring data"\",\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/rud.is\/b\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\/\/rud.is\"],\"url\":\"https:\/\/rud.is\/b\/author\/hrbrmstr\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Slaying the BEAST in nginx - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/","og_locale":"en_US","og_type":"article","og_title":"Slaying the BEAST in nginx - rud.is","og_description":"Just a quick post as I noticed that my nginx configuration was vulnerable to the BEAST attack thanks to the #spiffy SSL Certificate Tester from Qualys (I scored an “A”, btw :-). The nginx docs show how to do this, now, and it’s pretty simple (very similar to the Apache configuration, in fact): ssl_ciphers RC4:HIGH:!aNULL:!MD5; […]","og_url":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/","og_site_name":"rud.is","article_published_time":"2012-04-28T15:03:16+00:00","article_modified_time":"2017-03-27T14:40:26+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Slaying the BEAST in nginx","datePublished":"2012-04-28T15:03:16+00:00","dateModified":"2017-03-27T14:40:26+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/"},"wordCount":170,"commentCount":3,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"articleSection":["Certificates","Information Security","Threats"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/","url":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/","name":"Slaying the BEAST in nginx - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2012-04-28T15:03:16+00:00","dateModified":"2017-03-27T14:40:26+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2012\/04\/28\/slaying-the-beast-in-nginx\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Slaying the BEAST in nginx"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":""In God we trust. All others must bring data"","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-fC","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":13640,"url":"https:\/\/rud.is\/b\/2022\/11\/11\/honk-if-you-like-the-fediverse\/","url_meta":{"origin":968,"position":0},"title":"Honk If You Like The Fediverse!","author":"hrbrmstr","date":"2022-11-11","format":false,"excerpt":"This is a re-post from today's newsletter. I generally avoid doing this but the content here is def more \"bloggy\" than \"newslettery\". You can now receive these blog posts in your activity stream. Just follow @hrbrmstr@rud.is and the new posts from here will slide right into your timeline. So, you've\u2026","rel":"","context":"In "fediverse"","block_context":{"text":"fediverse","link":"https:\/\/rud.is\/b\/category\/fediverse\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12056,"url":"https:\/\/rud.is\/b\/2019\/03\/04\/ip-user-agent-and-referrer-tracking-disabled-on-cinc-rud-is-and-git-rud-is\/","url_meta":{"origin":968,"position":1},"title":"IP, User Agent, and Referrer Tracking Disabled on cinc.rud.is and git.rud.is","author":"hrbrmstr","date":"2019-03-04","format":false,"excerpt":"Not flagging this with an \"R\" tag since I don't want to spam R-bloggers but I mentioned here that I'd be disabling logging on https:\/\/cinc.rud.is and https:\/\/git.rud.is and I wanted to follow up on that with an addendum that I've opted to disable user\/system tracking in the access logs of\u2026","rel":"","context":"In "Site News"","block_context":{"text":"Site News","link":"https:\/\/rud.is\/b\/category\/site-news\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":400,"url":"https:\/\/rud.is\/b\/2011\/03\/24\/repairing-strict-transport-security-in-chrome-on-os-x\/","url_meta":{"origin":968,"position":2},"title":"“Repairing” Strict Transport Security in Chrome on OS X","author":"hrbrmstr","date":"2011-03-24","format":false,"excerpt":"One of my subdomains is for mail and I was using an easy DNS hack to point it to my hosted Gmail setup (just create a CNAME pointing to ghs.google.com). This stopped working for some folks this week and I've had no time to debug exactly why so I decided\u2026","rel":"","context":"In "Certificates"","block_context":{"text":"Certificates","link":"https:\/\/rud.is\/b\/category\/certificates\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12016,"url":"https:\/\/rud.is\/b\/2019\/03\/03\/cran-mirror-security\/","url_meta":{"origin":968,"position":3},"title":"CRAN Mirror “Security”","author":"hrbrmstr","date":"2019-03-03","format":false,"excerpt":"In the \"Changes on CRAN\" section of the latest version of the The R Journal (Vol. 10\/2, December 2018) had this short blurb entitled \"CRAN mirror security\": Currently, there are 100 official CRAN mirrors, 68 of which provide both secure downloads via \u2018https\u2019 and use secure mirroring from the CRAN\u2026","rel":"","context":"In "Cybersecurity"","block_context":{"text":"Cybersecurity","link":"https:\/\/rud.is\/b\/category\/cybersecurity\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":763,"url":"https:\/\/rud.is\/b\/2012\/01\/07\/getting-things-done-a-cobblers-tale\/","url_meta":{"origin":968,"position":4},"title":"Getting Things Done : A Cobbler’s Tale","author":"hrbrmstr","date":"2012-01-07","format":false,"excerpt":"Starting sometime mid-year in 2011, I began having more 'stuff' to do than even my eidetic memory could help with. It's not that I forgot things, per se, but the ability to mentally recall and prioritize work, family, personal and other tasks finally required some external assistance and I resolved\u2026","rel":"","context":"In "GTD"","block_context":{"text":"GTD","link":"https:\/\/rud.is\/b\/category\/gtd\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12004,"url":"https:\/\/rud.is\/b\/2019\/02\/28\/drat-all-the-%f0%9f%93%a6-enabling-easier-package-discovery-and-installation-with-your-own-cran-like-repo-for-your-packages\/","url_meta":{"origin":968,"position":5},"title":"drat All The ?! : Enabling Easier Package Discovery and Installation with Your Own CRAN-like Repo for Your Packages","author":"hrbrmstr","date":"2019-02-28","format":false,"excerpt":"I've got a work-in-progress drat-ified CRAN-like repo for (eventually) all my packages over at CINC? (\"CINC is not CRAN\" and it also sounds like \"sync\"). This is in parallel with a co-location\/migration of all my packages to SourceHut (just waiting for the sr.ht alpha API to be baked) and a\u2026","rel":"","context":"In "R"","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/968","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=968"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/968\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}