Mattermost Nginx HTTP to HTTPS Redirect

admin

Enhancing the security of an SSL setup involves implementing additional HTTP headers to strengthen the overall security posture. Below are key steps and configurations to harden SSL with security headers in an NGINX server environment, particularly when using Mattermost as the application behind NGINX.

Redirect HTTP to HTTPS

To ensure all traffic uses SSL, redirect HTTP requests to HTTPS. This can be achieved with the following server block in your NGINX configuration:

server {
    listen 80;
    server_name mattermost.example.com;
    return 301 https://$server_name$request_uri;
}

Security Headers

Implement the following security headers in your NGINX configuration to enhance security:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header Referrer-Policy no-referrer-when-downgrade always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline';" always;

SSL Configuration

For SSL configurations, use strong ciphers and enable features like OCSP Stapling for improved performance and security:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_stapling on;
ssl_stapling_verify on;

HTTP/2 Support

Enable HTTP/2 to improve performance. Ensure that SSL is configured as HTTP/2 requires secure connections:

listen 443 ssl http2;

OCSP Stapling

OCSP Stapling reduces the SSL handshake time by caching the certificate status. Include the following in your SSL server block:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Testing Your Configuration

After making changes, test your NGINX configuration for syntax errors using nginx -t and then reload NGINX. Additionally, use tools like SSL Labs’ SSL Test to verify the security level of your SSL setup.

By following these guidelines, you can ensure that your Mattermost server is more secure and resilient against various types of attacks.

Read more here: Source link