Nextcloud 14, NGINX 1.15.5, OpenSSL 1.1.1 and TLS 1.3


This guide based on the initial Nextcloud installation guide. Following this guide you will harden your Nextcloud server (AMD64/ARM64) even more using NGINX 1.15.5 and OpenSSL 1.1.1 by  adding TLS 1.3 encryption to your SSL configuration as simple as follows:


Preparation

sudo -s
cd /usr/local/src
wget http://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key
vi /etc/apt/sources.list

Add the folowing two rows:

UBUNTU:
deb http://nginx.org/packages/mainline/ubuntu/ bionic nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ bionic nginx

DEBIAN:
deb http://nginx.org/packages/mainline/debian/ stretch nginx
deb-src http://nginx.org/packages/mainline/debian/ stretch nginx


OpenSSL

Then update your system repositories and go ahead with the OpenSSL configuration:

apt update
mkdir /usr/local/src/nginx && cd /usr/local/src/nginx/
apt install dpkg-dev -y && apt source nginx
cd /usr/local/src && apt install git -y
git clone https://github.com/openssl/openssl.git
cd openssl && git branch -a

git checkout OpenSSL_1_1_1-stable


NGINX

Now prepare your NGINX binaries. Open the rules file

vi /usr/local/src/nginx/nginx-1.15.5/debian/rules

a) add the following statement two times

--with-openssl=/usr/local/src/openssl

b) change

dh_shlibdeps -a

to

dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info

To prevent further warnings edit the gcc:

vi /usr/local/src/nginx/nginx-1.15.5/auto/cc/gcc
#CFLAGS="$CFLAGS -Werror"

Change your directory back and start compiling NGINX:

cd /usr/local/src/nginx/nginx-1.15.5/
apt build-dep nginx -y && dpkg-buildpackage -b

To be ignored:

“dpkg-buildpackage: error: failed to sign .buildinfo file”

Remove any existing NGINX installations/instances:

apt remove nginx nginx-common nginx-full -y --allow-change-held-packages
cd /usr/local/src/nginx/

Install the new built NGINX

dpkg -i nginx_1.15.5*.deb

If the service will be masked please unmask it:

systemctl unmask nginx

Start NGINX

service nginx restart

and prevent NGINX from being updated automatically:

apt-mark hold nginx

Issue

nginx -V

and you will find information about your new NGINX


TLS 1.3

Now open your Nextcloud ssl.conf and enhance this configuration for TLS 1.3 purposes:

vi /etc/nginx/ssl.conf

Change the ssl_protocols to

ssl_protocols TLSv1.2 TLSv1.3;

and add “TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:” to your current ciphers:

ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:...

More secure but less compatible:

ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:...

Restart your NGINX

service nginx restart

and test your Nextcloud server regarding TLS 1.3 using Chrome beta. Open “chrome://flags/#tls13-variant” and change TLS 1.3 to “Enabled (final)”

Open a new tab and press “Ctrl+Shift+I” to open the developer tools page. Call your Neextcloud and verify your session was encrypted using TLS 1.3

As Mozilla wrote, native TLS 1.3 support is expected for Firefox 63

Be patient but prepared! Test your environment here: https://dev.ssllabs.com/ssltest/analyze.html


Enjoy your personal data in your secured and hardened Nextcloud-Server!

Don’t forget to backup your Nextcloud

Find more instructions here: Nextcloud Backup and Restore



Carsten Rieger

Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 13 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 6 years.

7 Responses

  1. Alex says:

    I like your posts! You help is very appreciated! All the best for you.

    THANKS! THANKS! THANKS! THANKS!

  2. Lars van Ravenzwaaij says:

    Hi Carsten,
    First, many thanks for all of your helpfull guides on setting up nextcloud!
    This guide for implementing openssl 1.1.1 is based on your ubuntu-setup. Can it also be used on your debian-setup?

    Thanks

    Lars

  3. isaac says:

    Hi Carsten,

    I tried to compile nginx 1.15.5 with openssl 1.1.1 but added the nginx-cahce purge module with it based on your previous guide
    … it successfully compiled, any reason why you did not include anymore with the new tutorial?

    Problem is, upon testing with ssl labs, I get an orange warning of HTTP server test failed due to HTTP forwarded— too many redirection!
    does the nginx cache purge module have anything to do with this?

    thanks very much

    • from time to time i recognized it either on different systems. it is related to Nextclouds database. Please doublecheck it very simple:
      move your current config.php
      mv /var/www/nextcloud/config.php /var/www/nextcloud/config.php.bak
      then re-run the check. The warnings will disappear. Don’t forget to copy the config back
      cp /var/www/nextcloud/config.php.bak /var/www/nextcloud/config.php
      If your Nextcloud DB is still empty/not productive you may also create an empty new Nextcloud db and re-run the check successfully.
      Regarding the ngx_cache_purge-module – i do not maintain the previous guide any longer … but feel free to compile nginx containing this module!

  4. isaac says:

    Hi Carsten,
    Thank you for this wonderful guide. Using TLS 1.3 and openssl 1.1.1 seem to reduce the score we get with SSL labs. It weakens the key exchange and cipher strength
    score only to 90%. I just thought you should know and the problem seem to be related to this ….. https://github.com/ssllabs/ssllabs-scan/issues/636

    thanks again

Leave a Reply

Your email address will not be published. Required fields are marked *