Skip to content

Nginx Configuration

Jump to bottom
Zer0CoolX edited this page Nov 16, 2018 · 12 revisions

The Apache Guacamole install script can configure Nginx in 2 ways in its current form. The first being a "basic" setup and the other being a more security focused setup. The install menu prompts for this by asking "Use a more secure Nginx SSL configuration? (default no)". If "yes" is selected an additional menu asks if the user wants to also use Forward Secrecy/DHE. If so an additional menu asks for the key strength to use for the DHE file (dhparam.pem).

Both options, by default, force/redirect HTTPS on all connections. If this is not desirable you would need to either edit the nginxinstall function in the Guacamole install script or alter the /etc/nginx/conf.d/guacamole.conf and/or /etc/nginx/conf.d/guacamole_ssl.conf files after the script completes and restarting the Nginx service after making changes.

These conf files have a few interesting portions to them I want to lay out here. In the defualt form, the guacamole.conf is basically configured to redirect HTTP requests to HTTPS thus using the guacamole_ssl.conf configuration.

The base SSL config is set to use TLSv1.3 and TLSv1.2 only as set by the ssl_protocols parameter. The certificate and key parameters point to either symlinks created by the script pointing to the LetsEncrypt generated files or the self-signed certs directly.

The base Nginx config sets ssl_ciphers to HIGH:!aNULL:~MD5 which is pretty lax and not very secure. In contrast selecting the more secure option will set this to:

'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

Which should be very secure and comes from using the Mozilla SSL Configuration Tool, with the proper selections of Nginx, Modern, the proper versions set and HSTS checked off.

There are additional parameters, some also derived from the aforementioned tool, that improve security as well. To get a better idea of what these parameters do, I recommend reading the Nginx documentation and doing some research on the matter.

I recommend selecting the more secure configuration (especially for production use) and also the DHE option. I used the Qualys SSL Labs SSL Server Test site to test my configuration and scored an A+ overall rating with scores being: Certificate = 100, Protocol Support = 100, Key Exchange = 90 (using a 2048 bit LetsEncrypt cert not generated by myself or this script) and Cipher Strength = 90. Individuals results may vary based on options selected and their specific configurations. I make no guarantee on safety/security and highly recommend reviewing and auditing your own setup to ensure it meets your security standards.

Clone this wiki locally