-
Notifications
You must be signed in to change notification settings - Fork 10
Recipes
# Requires ninja_build and cmake
mkdir ~/oqs/ && cd ~/oqs/
git clone --depth=1 https://github.com/open-quantum-safe/liboqs.git
cd liboqs
mkdir build && cd build
cmake -GNinja .. -DCMAKE_INSTALL_PREFIX=./oqs
ninja
ninja install
git clone --depth=1 https://github.com/open-quantum-safe/oqs-provider/
cd oqs-provider
export liboqs_DIR=~/oqs/liboqs/build/oqs/
cmake -S . -B _build && cmake --build _build && ctest --test-dir _build && cmake --install _build
and activate oqs-provider and KEM. Finally,
# Mutatis mutandis for nginx
SSLOpenSSLConfCmd Curves x25519_kyber768:x25519:P-256:P-384
Since 8.3.3, nG-SetEnvIf no longer checks percent-encoded versions of RFC 3986‘s unreserved characters when doing so can lead to excessive backtracking. A reverse proxy that implements URL normalisation (eg Cloudflare) is able to mitigate this particular risk much more thoroughly.
Start with ai.robots.txt. If a bot ignores robots.txt, move it to nG-SetEnvIf under map $http_user_agent or [USER AGENT] (but see Cloudflare).
If a bot pollutes your logs with repeated requests despite being blocked, they can be silenced using the following method:
# nginx
if ($http_user_agent ~ facebook) {
access_log off;
return 444;
}
# Apache
SetEnvIf User-Agent facebook dontlog
CustomLog "logs/access_log" common env=!dontlog
The most effective defence against spammers is JS obfuscation, which also offers better UX than contact form.
Having ported the firewall to mod_setenvif, it is possible to also dispense with any remaining rewrite rules. Follow these steps:
- Using
mod_rewritefor permalink settings is a relic from httpd 2.2. The same effect can now be achieved withmod_dir:
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
FallbackResource /index.php
- Rules for access control can switch to using
mod_setenvifor Cloudflare’s free-tier WAF.
The best way to stem excessive 404s is to use Wordfence. For best performance, opt out of ‘extended protection’.
nginx’s ngx_http_limit_req_module provides similar, but more rudimentary, capabilities.
Whether used primarily for page caching or DDoS mitigation, Cloudflare can complement the functionality of nG-SetEnvIf.
An adaptation of CF’s snippet for nginx:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLOpenSSLConfCmd Curves x25519_kyber768:x25519:P-256:P-384
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES
SSLHonorCipherOrder on
To stop requests circumventing CF proxy, configure httpd for Authenticated Origin Pulls. For best performance, choose the ECC version of private key for origin CA certificate, opt out of root certificate, and set SSLUseStapling to off. Then, stop listening on port 80.
In case the primary edge certificate uses the slower RSA, switch to ECDSA by setting certificate authority to lets_encrypt via API call.
The best way to extend nG-SetEnvIf is to set up a Custom Rule in CF’s free-tier WAF. Doing so not only allows you to take advantage of the non-backtracking algorithm of RE2 (as opposed to PCRE), but also means you don’t have to keep track of your customisations every time you upgrade nG-SetEnvIf.
Note that Cloudflare performs extra URL normalisation.
mod_rewrite should be considered a last resort, when other alternatives are found wanting. Using it when there are simpler alternatives leads to configurations which are confusing, fragile, and hard to maintain. Understanding what other alternatives are available is a very important step towards mod_rewrite mastery
— Rich Bowen