Article

Table of Contents
Try Vultr Today with

$50 Free on Us!

Securing NGINX From The Logjam Attack on CentOS

Published on: Tue, Jul 7, 2015 at 11:54 pm EST
CentOS Security Web Servers

Well, there's another SSL vulnerability out in the wild. Technically it isn't really a vulnerability, its just a "hole" inside of the protocol that we rely on during the depreciation of SSL3 and the phasing of SSL2.

Unfortunately, most modern web-servers are vulnerable to this attack because the protocol affected is widely used.

In this guide, I'll be covering what to do to secure your server on CentOS 6 and 7.

How to secure your server

There are two ways to secure your server. In this tutorial, I will only be covering the first option.

  1. Generate a unique key group.
  2. Disable SSL export keys.

What you'll need to do

Check whether or not your server is vulnerable by using the Qualys SSL checker. If your server is vulnerable, there will be a message at the top of the page.

Once you've confirmed that your server is vulnerable, enter your NGINX installation directory.

cd /etc/nginx/
mkdir keygroup
cd keygroup

Run the following command to generate a key group.

openssl dhparam -out dhsecure.pem 2048

Add the new key group to your NGINX configuration.

cd /etc/nginx/
vi .conf

Continuing on, we must add the ssl_dhparam ... line of code that's seen below inside of every SSL server block. Update all of your SSL server blocks accordingly.

server {
listen 443 ssl;
...
location / {
...
ssl_dhparam /etc/nginx/keygroup/dhsecure.pem
...
}

Exit the configuration and reload NGINX.

service nginx reload

Test your server again with the SSL checker. Your server will no longer be vulnerable to the attack.

Want to contribute ?

You could earn up to $300 by adding new articles