From user-return-5042-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org Fri Jan 18 18:04:23 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id E0BF5180647 for ; Fri, 18 Jan 2019 18:04:22 +0100 (CET) Received: (qmail 14049 invoked by uid 500); 18 Jan 2019 17:04:17 -0000 Mailing-List: contact user-help@guacamole.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.apache.org Delivered-To: mailing list user@guacamole.apache.org Received: (qmail 14036 invoked by uid 99); 18 Jan 2019 17:04:17 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Jan 2019 17:04:17 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id A5BB41808C8 for ; Fri, 18 Jan 2019 17:04:16 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 4.735 X-Spam-Level: **** X-Spam-Status: No, score=4.735 tagged_above=-999 required=6.31 tests=[DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_ENVFROM_END_DIGIT=0.25, NML_ADSP_CUSTOM_MED=1.2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.972, URI_HEX=1.313] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 2dSb333Cn7yD for ; Fri, 18 Jan 2019 17:04:14 +0000 (UTC) Received: from n4.nabble.com (n4.nabble.com [199.38.86.66]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id D68C35F3B3 for ; Fri, 18 Jan 2019 17:04:13 +0000 (UTC) Received: from n4.nabble.com (localhost [127.0.0.1]) by n4.nabble.com (Postfix) with ESMTP id 7540449EF2B1 for ; Fri, 18 Jan 2019 11:04:13 -0600 (CST) Date: Fri, 18 Jan 2019 11:04:13 -0600 (CST) From: Zer0Cool To: user@guacamole.apache.org Message-ID: <1547831053477-0.post@n4.nabble.com> In-Reply-To: <1547592857329-0.post@n4.nabble.com> References: <1547592857329-0.post@n4.nabble.com> Subject: Re: SSL MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The directions given for setting up SSL are a good start but uses a self-signed cert instead of a valid cert from say, LetsEncrypt. The suggested guacamole_ssl.conf configuration is also far from secure for many reasons. 1. First your using TLS 1.0 and TLS 1.1. Unless needed for very legacy clients and connections you should stick with TLS 1.2 and up. 2. Your ciphers list has some insecure ciphers in it from what I can tell. 3. There are many other steps you can use to tighten down security in Nginx like OSCP Stapling, forward secrecy, etc. I would highly recommend checking out: - Mozilla's SSL Configuration Generator at: https://mozilla.github.io/server-side-tls/ssl-config-generator/ - This config generator at: https://nginxconfig.io/ - This example of a secure config at: https://cipherli.st/ I found that using parts from each gave me the best results. For the parameters I didnt understand or could not deduce what they did I checked the Nginx documentation which pretty clearly details what each parameter does. You can use a site like https://www.ssllabs.com/ssltest/ and https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide to test your configuration and ensure it meets your security requirements. You did not mention what OS you are using, if its RHEL/CentOS I have written an install script that is capable of settings everything up from scratch for Guacamole included SSL using either a self signed cert or one from LetsEncrypt (with automatic renewal) and many other features. If your interested I have posted it on github at: https://github.com/Zer0CoolX/guacamole-install-rhel. If you decide to use the script be aware that its intended to run from a clean install and should be tested before trying to use in production. I use my script at work, actually just setup a new Guac server today. Scores an A= with 100% on all 4 categories on SSL Labs test using a cert from Letsencrypt. I scheduled 4 hours to go from nothing to fully setup and configured Guacamole server. Using my script I was done, including creating the connections and assigning permissions manually, in about 1 hour :) -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/