Nginx optimize SSL Test Grade

September 24th, 2016 by admin | Permalink

There is plenty articles on this topic.

It is basically limiting the accepted ciphers for the encryption and kicking out old broken encryption algorithms.

My configuration for Nginx looks something like this.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=0; includeSubdomains";

Add this to your specific host configuration in the server {} part for port 443.

For Apache I am using something like this

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

Check your result using SSL Test.

WordPress, redirect all traffic from http to https Nginx and Apache

September 24th, 2016 by admin | Permalink

To redirect all traffic that goes to a http site to your https site, you have to work with redirect.

If you are using Apache as your webserver, just edit the .htaccess file in your document root.
Be sure mod_rewrite is enabled in your setup.

Then, just simply add the following lines

RewriteCond %{HTTP_HOST} !^www\.YOURWEBSITE\.com$ [NC]
RewriteRule ^(.*)$$1 [R=301,L]

For Nginx this needs a little bit more of effort.
Add the following lines into the the server {} configuration for your port 80 webserver within the virtual server configuration. Usually be found in /etc/nginx/site-available/.

location / {
return 301$request_uri;
try_files $uri $uri/ /index.php?$args;

For exception management, have a look at exceptions for redirects

Nginx adding http2 support to improve speed

September 24th, 2016 by admin | Permalink

Since version 1.9.5 Nginx support http2, which is a major improvement in comparison to http 1.1.

One of the major differences is https by default. If you haven’t enabled your website for https, then I ask you to read thru my short summary on Letsencrypt and how to set it up.

The second thing is an improvement in regards to overall data transfer. http 1.1 was design at a time in which bandwidth was still a problem. Therefor the RFC set a limit of simultanoius connections as written in RFC 2086.

Clients that use persistent connections SHOULD limit the number of simultaneous connections that they maintain to a given server. A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy. A proxy SHOULD use up to 2*N connections to another server or proxy, where N is the number of simultaneously active users. These guidelines are intended to improve HTTP response times and avoid congestion.

Means, that the amounts of files that could be loaded from a single host is limited. With http2 this limit falls and websites load way faster then before.

Nginx has a manual to install http2 which I literally don’t want to copy & paste here.
Read yourself and make the internet faster!

Once you’re done, check if your site really supports http2 by using the http/2 and spdy indicator plugin in Chrome.

Improve WordPress ranking by adding https

September 24th, 2016 by admin | Permalink

One step to improve the overall security in the internet is the usage of https.
https makes sense for every site, not only banks, insurances and online shops.
It is not only making the communication between you and your user secure, it also could improve your Google ranking.

The simplest way to do this is Letsencrypt. Letsencrypt is free of charge and super simple to use.
It comes with a simple bash script that you can execute and it will take care of all the configuration necessary to encrypt your side successfully.

Go to Certbot choose your setup and follow exactly the steps shown underneath.

In my case this was:


This takes a maximum of 10 minutes and you have a secure connection.

Be aware that your certificate needs renewal every three months, but this only takes a couple of seconds.
I added that to my update script, that I am running frequently to cover for this. I will probably post this pretty soon too.

If you like it, please consider donating to Letsencrypt. Even small amounts like $5 can help to keep this project alive. The cheapest alternative certificate I know costs $25 per year.

And just to mention it, for around $60 yearly you can sign up to StartCom and generate as many certificates as you like.

Once done have a look at the SSL Test to check if your site is fully encrypted and gets a good grade.

SSL Test A Grade

If you are getting everything but an A, consider optimizing this as well. Have a look at this blog post for SSL optimization.

Also another step is to redirect all your traffic from http to https, so you are 100% sure to serve only secure content. Have a look at my post to achieve forwarding traffic from http to https.

Pimping a wordpress for high-performance and against DDoS attacks – series

September 24th, 2016 by admin | Permalink

For quite a while, I am supporting the finance blog of a friend of mine. He started this as a small blog project (it is still a blog) and quickly got a lot of traffic.

The initial setup was a hosted website with a provider including PHP and MySQL.
Quickly there was too much traffic and the site became really really slow. On top, the possibilities in this environment are limited.

Next step – own server. So we booked him a machine at Hetzner, a German ISP with quite good conditions. I put VMWare in place and virtualizied the entire thing.
As time goes, the machine became old and had to be replaced. So we decided for a new machine and to install everything bare metal (no VMs).
The current machine holds a Skylark Quad-Core processor, 64 GB of RAM, SATA HDD and a lot of more cool things.

So a fairly decent setup.

Recently the site was attacked using several different technics.

This series is about the steps we took to keep the site alive and also gain speed, performance, reduce load and file sizes.

The result of this series should be a WordPress installation on steroids.

You will use and run:

– Nginx
https / SSL encryption
– Caching for WordPress
– Optimized compression for images and files
– Fail2Ban to avoid to many requests from one source
– Optimized caching on client side
Faster page loads
– Lazyload for images
– and many things more

Nginx, don’t redirect to https for specific site / url

September 24th, 2016 by admin | Permalink

After you have read my article on redirecting all traffic to https, you discovered that some content is not appearing correctly anymore.

For the finance blog I am supporting, this is the case for some pages like “10 goldene Regeln für binaere Optionen” were http content is embedded. In this case it is an external javascript (unfortunately, you should try to avoid this whenever possible) that could not be served using https.

So, we needed an exception to do this.

In your server {} configuration for port 80 (non-ssl) add this:

location ^~ /10-goldene-regeln-fur-den-handel-mit-binaren-optionen {
try_files $uri $uri/ /index.php?$args;

In the configuration for port 443 (ssl / https) add this:

location /10-goldene-regeln-fur-den-handel-mit-binaren-optionen {
return 301 http://$server_name$request_uri;
try_files $uri $uri/ /index.php?$args;

Of course you need to adjust that for your needs. This overrides the configuration for the redirect all, for an exception with the URL “/10-goldene-regeln-fur-den-handel-mit-binaren-optionen”

HTST – Strict Transport Security

May 1st, 2016 by admin | Permalink

I recently stumbled across a pretty cool, but also painful if you don’t know it, functionality within the HTTP/S protocol.

It is called HTST or HTTP Strict Transport Security. Basically it tells the browser over a header to request everything from this server only via HTTPS instead of HTTP.
The first request will set something like a cookie, but it is, depending on the browser, not a regular cookie. For example Safari stores this information in a file called HTST.plist.

The header sets a lifetime like for a cookie.

In my specific case, I had an entire server redirected to https by a rewrite rule, but one specific URL redirected to http. HTST avoided that drastically and it took me a few hours and some external help to figure this out.

Details about my case can be found here.

What’s the state on IPv6 – 2016 Edition

April 9th, 2016 by admin | Permalink

Nearly three years ago, I tested a list of popular website for there IPv6 support. Back then the adoption was shockingly small.

ARIN recently ran out of IPv4 addresses and now has a waiting list for new address spaces. This makes the situation even more dramatic.

Time to run my test again.

Only 8 websites that didn’t support IPv6 three years ago now support it.

Consolidating / merge several DNS zone files into one server

March 5th, 2016 by admin | Permalink

I recently worked on a datacenter move including migration of internal and external DNS servers.

the old datacenter had a history of around 20 years.
Unfortunately back in the days it was decided to use the same domain for internal and external records, but split it so that there is two zone files. One holding internal, the other one public records. Each zone file had around 1800 single records. A total mess!

We decided to move for DNS to AWS Route53, so a merge was necessary.

During that journey I found two really helpful tools.

One is dns_compare which helps you checking a zone file against a DNS server. E.g. internal file against external server.

The second tool is cli53, which is literally a command line tool that lets you manipulate and import/export DNS records into Route53.

Unfortunately the import within the AWS interface is only available for the initial import and only supports a maximum of 1000 records. cli53 helps with this as well.

Apple Mail set S/Mime as default before GPGTools

July 30th, 2015 by admin | Permalink

This is fairly simple. Open a Terminal type:

defaults write org.gpgtools.gpgmail DefaultSecurityMethod -int 2

Close Mail, open it again and you are set.

No matter what you prefer either GPG/PGP encryption over S/MIME – it is always a good thing to encrypt your email.
Setting up S/Mime on a Mac is simpler then you think.

Go for example to Comodo, get a free certificate by filling out the simple form (name + email), wait for the email, click on the link, download the certificate, double click, restart Mail – DONE!

%d bloggers like this: