HOWTO setup a very secure webserver

When getting started with Linux and open source software, running websites was one of the first things I learned how to do. Of course with the way software evolves, I’m still learning new ways to better secure, encrypt and protect web assests. Recently I wanted to build a new project and decided I wanted to use OpenBSD, arguably the most secure operating system out of the box. While years ago I switched to FreeBSD for web and mailserver handling, OpenBSD is just more stringent about how it presents things. There’s more to learn, sure, but that’s all part of the fun. Now, if you look around at normal VPS options like DigitalOcean and Linode won’t allow you to run OpenBSD, but with Vultr (affilate link) you can use any ISO you can point to. They have a $5/month option, but they give you 768M RAM versus the 512M that you get from most other VPS providers for that price. With that decided I ran through the install using their console and was up and running in no time. Now for the fun part, let’s ssh to the server and setup a very setup a secure webserver!

HOWTO build nginx with HTTP 2 support

UPDATE 02-29-2016 a reader had issues getting this working, and after reproducing his issue I found that the ssl_cipers HIGH:!aNULL:!MD5; no longer works. Apparently sometime after I wrote this, the HTTP/2 specs were updated, and browsers followed suit. This blog post tells us, “According to the HTTP/2 specification, over TLS 1.2 HTTP/2 SHOULD NOT use any of the cipher suites that are listed in the cipher suite black list, found here” So now, we have to call out another cipher before the blacklisted ones ssl_ciphers AESGCM:HIGH:!aNULL:!MD5 Thanks for the note Elias!

Last week nginx relased mainline version 1.9.5 which features experimental HTTP/2 module. According to the Internet Engineering Task ForceHTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients. This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP’s existing semantics remain unchanged.” You can get an idea of how HTTP/2 is better and faster on this demo page which shows the multiple connections making a significant difference.

TL;DR it’s faster, backwards compatible and the new hotness (obviously).