Key pinning / Nginx reverse proxy

Server NGINX
1

Dear all,

I have installed few weeks ago the couple Nginx/Apache2.

Nginx: front end - reverse proxy
Apache2: Back end - web server

Things are working smoothly … But I am a bit lost concerning the
config of the Key pinning.

When testing my SSL config through the web site:
SSL Server Test (Powered by Qualys SSL Labs) I am A+ with HSTS on. But I am not
able to validate the key pinning.

I am moving around for 4 days now … Where to put it ? I have tried:

On Nginx:

  • nginx.conf
  • conf.d/*.conf

On Apache2

  • VirtualHost
  • apache2.conf

Thx


Cordialement,
Thierry e-mail : [email protected]
PGP Key: 0xB7E3B9CD

2

Thierry:

Nginx: front end - reverse proxy
Apache2: Back end - web server

hpkp is an header served to the client as response to an https request
I would add the Public-Key-Pins on the instance terminating the HTTPS
request.

without rproxy I have this in /etc/nginx/sites-enabled/example.org

server {
listen *:443 ssl http2;
server_name example.org;
ssl_certificate
/etc/ssl/example.org/cert+intermediate.pem;
ssl_certificate_key /etc/ssl/example.org/key.pem;
ssl_stapling_file /etc/ssl/example.org/ocsp.response;
add_header Public-Key-Pins “max-age=42424242;
pin-sha256="…pin1…"; pin-sha256="…pin2…";”;

}

Andreas

3

Dear Andreas,

Thx for your help, but I still do have the same problem.

Public Key Pinning (HPKP) No

I don’t know what to do anymore …

Thierry

Le samedi 20 fvrier 2016 13:10:16, vous criviez :

Thierry:

Nginx: front end - reverse proxy
Apache2: Back end - web server

hpkp is an header served to the client as response to an https request
I would add the Public-Key-Pins on the instance terminating the HTTPS request.

without rproxy I have this in /etc/nginx/sites-enabled/example.org

}
Andreas

nginx mailing list
[email protected]
nginx Info Page


Cordialement,
Thierry e-mail : [email protected]

4

On Sun, Feb 21, 2016 at 10:22:31AM +0200, Thierry wrote:

Hi there,

Thx for your help, but I still do have the same problem.

Public Key Pinning (HPKP) No

I don’t know what to do anymore …

curl -I https://your-server/your-test-url

Every line in that response comes from your nginx config (possibly
including defaults) or your back-end config (passed through).

Do you see a “Public-Key-Pins:” line?

If so, does it have the content that you expect?

If not, what part of your nginx config processed the request; and does
that part have the add_header directive that you want?

If this is a public web server without any special authentications,
then the curl response contains no secrets.

f

Francis D. [email protected]

5

Dear sir,

After I have executed the curl command, it seems that I have an answer
from my Apache2 back end server (apache2.conf)
Yes I do see the “Public-Key-Pins:” line… And yes I do have the
content that I expect.

Public-Key-Pins:
pin-sha256=“DZNsRcNIolhfdouihfazormhrfozef=”;pin-sha256=“633ltusrlsqhoagfdgfo79xMD9r9Q=”;
max-age=2592000; includeSubDomains

But, is it really the output of Apache2 ? There is a syntax difference
between Nginx and Apache2:

Nginx: pin-sha256=“DZNsRcNIoiVdK8Img794j8/XGf4+6sDLFjADPWWOddw=”;
Apache2: pin-sha256="DZNsRcNIoirupeqrhfjpzehfrhfaefhpazf=";

When the curl command return me the result, I can see that there is
no "" … Is it normal ?

If yes, why is “ssllabs.com/ssltest” doesn’t see anything concerning
the HPKP ?

Thx

Le dimanche 21 fvrier 2016 10:37:33, vous criviez :

On Sun, Feb 21, 2016 at 10:22:31AM +0200, Thierry wrote:

Hi there,

Thx for your help, but I still do have the same problem.

Public Key Pinning (HPKP) No

I don’t know what to do anymore …

curl -I https://your-server/your-test-url

Every line in that response comes from your nginx config (possibly
including defaults) or your back-end config (passed through).

Do you see a “Public-Key-Pins:” line?

If so, does it have the content that you expect?

If not, what part of your nginx config processed the request; and does
that part have the add_header directive that you want?

If this is a public web server without any special authentications,
then the curl response contains no secrets.

    f


Cordialement,
Thierry e-mail : [email protected]

6

On Sun, Feb 21, 2016 at 11:23:02AM +0200, Thierry wrote:

Hi there,

After I have executed the curl command, it seems that I have an answer
from my Apache2 back end server (apache2.conf)
Yes I do see the “Public-Key-Pins:” line… And yes I do have the
content that I expect.

That’s good.

How do you know what content to expect?

Public-Key-Pins:
pin-sha256=“DZNsRcNIolhfdouihfazormhrfozef=”;pin-sha256=“633ltusrlsqhoagfdgfo79xMD9r9Q=”;
max-age=2592000; includeSubDomains

What is the actual sha256 of the certificate that the browser receives?
Is
it one of the two above?

The details are in RFC7469.

RFC 7469 - Public Key Pinning Extension for HTTP gives an example of how
you mind find it.

But, is it really the output of Apache2 ? There is a syntax difference
between Nginx and Apache2:

Should it be the output of Apache2?

Your browser is speaking https to nginx. It should only see the pinning
information from nginx. The browser never sees the Apache certificate,
and so should not see anything related to it.

Nginx: pin-sha256=“DZNsRcNIoiVdK8Img794j8/XGf4+6sDLFjADPWWOddw=”;
Apache2: pin-sha256="DZNsRcNIoirupeqrhfjpzehfrhfaefhpazf=";

I suspect that only one of those is valid in the response header.

RFC 7469 - Public Key Pinning Extension for HTTP suggests that the
backslashes are unnecessary.

(Note that neither of those sha256 values match the ones in the response
header. What is actually written in your nginx.conf, and what is the
actual response you get from curl? If they are different, you have more
investigating to do.)

When the curl command return me the result, I can see that there is
no "" … Is it normal ?

I think “yes”.

If yes, why is “ssllabs.com/ssltest” doesn’t see anything concerning
the HPKP ?

Is there any documentation on the ssllabs.com site about what they
are testing?

Can you see, does “HPKP: No” distinguish between:

  • no Public-Key-Pins header returned
  • Public-Key-Pins header found, but with invalid formatting
  • valid Public-Key-Pins header found, but without the sha256 of the
    current certificate

Good luck with it,

f

Francis D. [email protected]