Hacker News new | past | comments | ask | show | jobs | submit login

And the nginx ssl config is improperly configured, which would give an F under ssllab's tests.



Anyone configuring SSL on a web server should simply look at this: https://wiki.mozilla.org/Security/Server_Side_TLS

Mozilla has great recommendations in three categories (depending on what browsers you have to support). The intermediate recommendation will do for almost everyone. Combined with HSTS and a well-configured certificate it'll score you an easy A+ [1] on SSL Labs.

[1] https://www.ssllabs.com/ssltest/analyze.html?d=www.wieni.be


Since when some random website on the internet dictates "proper" configuration of TLS?

Hint: "A+" will make sure a lot of old clients which do not support fancy new encryption schemes will not get your content. If you don't care about that, it's fine, but do not call that "improper". It simply isnt.


With the Mozilla Intermediate configuration you lose clients that use IE on Windows XP and Android 2.3. We mostly target a Belgian audience, where those users pretty much don't exist anymore.

And still, we don't even target those browsers with our development anymore. Early this year we decided that supporting anything older than IE11 / latest Chrome / Firefox ESR / latest Safari just isn't worth it, so we don't do that anymore either.


That's subjective at that point, I'd personally regard running an insecure configuration for supposedly secure connections as improper.


Well, presented Nginx config wasn't complete, was on purpose minimalistic, just to show the idea.

HAProxy though was complete (and that was the focus of the article) and with that set-up we have A+ on ssllabs.com.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: