Code, InfoSec and Server Stuff

Views are my own and not my employer's

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

"If you're not still learning, you're already dying."
- Ryan Holiday - Ego is the Enemy

Follow me on Twitter: @FearbySoftware

View All Posts.

HTTPS

Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx

by

This is a quick post that shows how I set up the “Feature-Policy”, “Referrer-Policy” and “Content Security Policy” headers in Nginx to tighter security and privacy.

Advertisement:



Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Domain names for just 88 cents!

Now on with the post.

Add a Feature Policy Header

Upon visiting https://securityheaders.com/ I found references to a Feature-Policy header (WC3 internet standard) that allows you to define what browse features you webpage can use along with other headers.

Google mentions the Feature-Policy header here.

Browser features that we can enable or block with feature-policy headers.

  • geolocation
  • midi
  • notifications
  • push
  • sync-xhr
  • microphone
  • camera
  • magnetometer
  • gyroscope
  • speaker
  • vibrate
  • fullscreen
  • payment

Feature Policy Values

  • * = The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to documents in nested browsing contexts.
  • self = The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to same-origin domain documents in nested browsing contexts, but is disallowed by default in cross-origin documents in nested browsing contexts.
  • none = The feature is disallowed in documents in top-level browsing contexts by default and is also disallowed by default to documents in nested browsing contexts.

My Final Feature Policy Header

I added this header to Nginx

This essentially disables all browser features when visitors access my site

I reloaded Nginx config and restart Nginx

Feature-Policy Results

I verified my feature-policy header with https://securityheaders.com/

Feature Policy score from https://securityheaders.com/?q=fearby.com&followRedirects=on

Nice, Feature -Policy is now enabled.

Now I need to enable the following headers

Add a Referrer Policy Header

I added this header configuration in Nginx to prevent referrers being leaked over insecure protocols.

Referrer-Policy Results

Again, I verified my referrer policy header with https://securityheaders.com/

Referrer Policy resu;ts from https://securityheaders.com/?q=fearby.com&followRedirects=on

Done, now I just need to setup Content Security Policy.

Advertisement:



Add a Content Security Policy header

I read my old guide on Beyond SSL with Content Security Policy, Public Key Pinning etc before setting up a Content Security policy again (I had disabled it a while ago). Setting a fully working CSP is very complex and if you don’t want to review CSP errors and modify the CSP over time this may not be for you.

Read more about Content Security Policy here: https://content-security-policy.com/

I added my old CSP to Nginx

I then imported the CSP into https://report-uri.com/home/generate and enabled more recent CSP values.

I restarted Nginx

I loaded the Google Developer Console to see any CSP errors when loading my site.

CPS Errors

I enabled reporting of CSP errors to https://fearby.report-uri.com/r/d/csp/enforce

Fyi: Content Security Policy OWASP Cheat Sheet.

You can validate CSP with https://cspvalidator.org

Now I won’t have to check my Chrome Developer Console and visitors to my site will report errors. I can see my site’s visitors CSP errors at https://report-uri.com/

report-cri.com Report

Content Security Policy Results

I reviewed the reported errors and made some more CSP changes. I will continue to lock down my CSP and make more changes before making this CSP policy live.

I verified my header with https://securityheaders.com/

Security Headers report from https://securityheaders.com/?q=https%3A%2F%2Ffearby.com&followRedirects=on

Advertisement:



Testing Policies

TIP: Use the header name of “Content-Security-Policy-Report-Only” instead of “Content-Security-Policy” to report errors before making CSP changes live.

I did not want to go live too soon, I had issues with some WordPress plugins not working in the WordPress admins screens.

Reviewing Errors

Do check your reported errors and update your CSP often, I had a post with a load of Twitter related errors.

Do check report-uri errors.

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

V1.3 https://cspvalidator.org

v1.2 OWASP Cheat Sheet.

v1.1 added info on WordPress errors.

v1.0 Initial Post

I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.

by

I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance. Here is what I did to set up a complete Ubuntu 18.04 system (NGINX, PHP, MySQL, WordPress etc). This is not a paid review (just me documenting my steps over 2 days).

 

Background (CPanel hosts)

In 1999 I hosted my first domain (www.fearby.com) on a host in Seattle (for $10 USD a month), the host used CPanel and all was good.  After a decade I was using the domain more for online development and the website was now too slow (I think I was on dial-up or ADSL 1 at the time). I moved my domain to an Australian host (for $25 a month).

After 8 years the domain host was sold and performance remained mediocre. After another year the new host was sold again and performance was terrible.

Advertisement:



Page load times were near 30 seconds.

I started receiving Resource Limit Is Reached warnings (basically this was a plot by the new CPanel host to say “Pay us more and this message will go away”).

This is a screenshot of my old host giving a Usage Limit Exceeded error

The straw that broke the camel’s back was their demand of $150/year for a dodgy SSL certificate.

This is a screenshot of a crappy C rated SSL certificate (measured at ssl labs)

I needed to move to a self-managed server where I was in control.

Advertisement:



Buying a Domain Name

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Self Managed Server

I found a good web IDE ( http://www.c9.io/ ) that allowed me to connect to a cloud VM.  C9 allowed me to open many files and terminal windows and reconnect to them later. Don’t get excited, though, as AWS have purchased C9 and it’s not the same.

C9 IDE

C9 IDE

I spun up a Digital Ocean Server at the closest data centre in Singapore. Here was my setup guide creating a Digital Ocean VM, connecting to it with C9 and configuring it. I moved my email to G Suite and moved my WordPress to Digital Ocean (other guides here and here).

I was happy since I could now send emails via CLI/code, set up free SSL certsadd second domain email to G Suite and Secure G Suite. No more usage limit errors either.

Self-managing servers requires more work but it is more rewarding (flexible, faster and cheaper).  Page load times were now near 20 seconds (10-second improvement).

Latency Issue

Over 6 months, performance on Digital Ocean (in Singapore) from Australia started to drop (mentioned here).  I tried upgrading the memory but that did not help (latency was king).

Moved the website to Australia

I moved my domain to Vultr in Australia (guide here and here). All was good for a year until traffic growth started to increase.

This is a screenshot of google analytics showing my doubling ever 3 months traffic

I tried upgrading the memory on Vultr and I setup PHP child workers, setup Cloudflare.

GT Metrix scores were about a “B” and Google Page Speed Scores were in the lower 40’s. Page loads were about 14 seconds (5-second improvement).

Tweaking WordPress

I set up an image compression plugin in WordPress then set up a cloud image compression and CDN Plugin from the same vendor.  Page Speed info here.

GT Metrix scores were now occasionally an “A” and Page Speed Scores were in the lower 20’s. Page loads were about 3-5 seconds (10-second improvement).

Mixed bag from Vultr (more optimisation and performance improvements were needed).

This screenshot is showing poor www.gtmetrix.com scores , pool google page speed index scores and upgrading from 1GB to 2GB memory on my server.

Google Chrome Developer Console Audit Results on Vultr hosted website were not very good (I stopped checking as nothing helped).

This is a screenshot showing poor site performance (screenshot taken in Google Dev tools audit feature)

The problem was the Vultr server (400km away in Sydney) was offline (my issue) and everything above (adding more memory, adding 2x CDN’s (EWWW and Cloudflare), adding PHP Child workers etc) did not seem to help???

Enter UpCloud…

Recently, a friend sent a link to a blog article about a host called “UpCloud” who promised “Faster than SSD” performance.  This can’t be right: “Faster than SSD”? I was intrigued. I wanted to check it out as I thought nothing was faster than SSD (well, maybe RAM).

I signed up for a trial and ran a disk IO test (read the review here) and I was shocked. It’s fast. Very fast.

Summary: UpCloud was twice as fast (Disk IO and CPU) as Vultr (+ an optional $4/m firewall and $3/m for 1x backup).

This is a screenshot showing Vultr.com servers getting half the read and write disk io performance compared to upcloud.com.

fyi: Labels above are K Bytes per second. iozone loops through all file sizes from 4 KB to 16,348 KB and measures through the reads per second. To be honest, the meaning of the numbers doesn’t interest me, I just want to compare apples to apples.

This is am image showing iozone results breakdown chart (kbytes per sec on vertical axis, file size in horizontal axis and transfer size on third access)

(image snip from http://www.iozone.org/ which explains the numbers)

I might have to copy my website on UpCloud and see how fast it is.

Where to Deploy and Pricing

UpCloud Pricing: https://www.upcloud.com/pricing/

 

This images show prices form https://www.upcloud.com/pricing/

UpCloud does not have a data centre in Australia yet so why choose UpCloud?

Most of my site’s visitors are based in the US and UpCloud have disk IO twice as fast as Vultr (win-win?).  I could deploy to Chicago?

This image sows most of my visitors are in the US

My site’s traffic is growing and I need to ensure the site is fast enough in the future.

This image shows that most of my sites visitors are hitting my site on week days.

Advertisement:



Creating an UpCloud VM

I used a friend’s referral code and signed up to create my first VM.

FYI: use my Referral code and get $25 free credit.  Sign up only takes 2 minutes.

https://www.upcloud.com/register/?promo=D84793

Signup for UpCloud, add billing details, live chat

UpCould support page is located here: https://www.upcloud.com/support/

More UpCloud links to read:

I was not sure how to log in after signing up so I went back to https://www.upcloud.com/and clicked Sign Inhttps://my.upcloud.com/login ).

Now I can see a dashboard 🙂

 

This image sows the www.ucloud.com dashboard main page.

I was happy to see 24/7 support is available.

This image shows the www.upcloud.com live chat

UpCloud Dashboard

After logging in I noticed I could customize the dashboard.

This image shows the www.upcloud.com dashboard (post login) allows you to customize the dahsboard

It would be nice to see an UpCloud API or some way that I can push data to the dashboard from my VM (via scheduled cron jobs). I’d really like to see my data in this dashboard, not at the level of PM2 but things like CPU/Memory history, logs, disk used/free, connections etc.

UpCloud Trial Mode

I am not sure what the time limit is to the trial mode (5 days)?

UPDATE: A friend signed up for a trial and did not deposit some money (e.g $10) in 7 days and his server was deleted.  We deposited $10 via PayPal and he was still in trial mode. If you are signing up and want to keep your server you will need to exit trial mode by depositing money from a DEBIT/CC card (that is not blocked overseas) ASAP!

Image showing (via a html dialog) that I am in trail mode

Deploy My First UpCloud Server

This is how I deployed a server.

If you are going to deploy a server consider using my referral code and get $25 credit for free.

Under the “deploy a server” widget I named the server and chose a location (I think I was supposed to use an FQDN name -e.g., “fearby.com”). The deployment worked though. I clicked continue, then more options were made available:

  1. Enter a short server description.
  2. Choose a location (Frankfurt, Helsinki, Amsterdam, Singapore, London and Chicago)
  3. Choose the number of CPU’s and amount of memory
  4. Specify disk number/names and type (MaxIOPS or HDD).
  5. Choose an Operating System
  6. Select a Timezone
  7. Define SSH Keys for access
  8. Allowed login methods
  9. Choose hardware adapter types
  10. Where the send the login password

This image shows all of he deploy server options at www.upcloud.com

FYI: How to generate a new SSH Key (on OSX or Ubuntu)

Output

Did the key export? (yes)

> /temp# ls /temp/ -al
> drwxr-xr-x 2 root root 4096 Jun 9 15:33 .
> drwxr-xr-x 27 root root 4096 Jun 8 14:25 ..
> -rw——- 1 user user 1766 Jun 9 15:33 example_rsa
> -rw-r–r– 1 user user 396 Jun 9 15:33 example_rsa.pub

“example_rsa” is the private key and “example_rsa.pub “is the public key.

  • The public key needs to be added to the server to allow access.
  • The private key needs to be added to any local ssh program used for remote access.

Initialisation script (after deployment)

I was pleased to see an initialization script section that calls actions after the server is deployed. I configured the initialisation script to pull down a few GB of backups from my Vultr website in Sydney (files now removed).

This was my Initialisation script:

Confirm and Deploy

I clicked “Confirm and deploy” but I had an alert that said trial mode can only deploy servers up to 1024MB of memory.

This image shows I cant deploy servers with 2/GB in trial modeExiting UpCloud Trial Mode

I opened the dashboard and clicked My Account then Billing, I could see the $25 referral credit but I guess I can’t use that in Trial.

I exited trial mode by depositing $10 (USD).

This image shows me depositing funds into upcloud.com

FYI: Server prices are listed below (or view prices here).

 

This image shows upcloud.com prices at http://upcloud.com/pricing

Now I can go back and deploy the server with the same settings above (1x CPU, 2GB Memory, Ubuntu 18.04, MaxIOPS Storage etc)

Advertisement:



Deployment in progress:

This image shows a server being deployed (progress bar)

UpCloud Server Deployed

The server is now deployed; now I can connect to it with my SSH program (vSSH).  Simply add the server’s IP, username, password and the SSH private key (generated above) to your ssh program of choice.

fyi: The public key contents start with “ssh-rsa”.

This image shows me connecting to my sever via ssh

I noticed that the initialisation script downloaded my 2+GB of files already. Nice.

UpCloud Billing Breakdown

I can now see on the UpCloud billing page in my dashboard that credit is deducted daily (68c); at this rate, I have 49 days credit left?

Billing Usage

I can manually deposit funds or set up automatic payments 🙂

UpCloud Backup Options

Backup This image shows me backing up my server

Note: Backups are charged at $0.056 for every GB stored – so $5.60 for every 100GB per month (half that for 50GB etc)

I made a manual backup and can set an automatic schedule if need be. Nice.

This image sows possible backup schedules.

UpCloud Firewall Options

I set up a firewall at UpCloud to only allow the minimum number of ports (UpCloud DNS, HTTP, HTTPS and My IP to port 22).  The firewall feature is charged at $0.0056 an hour ($4.03 a month)

I love the ability to set firewall rules on incoming, destination and outgoing ports.

this image shows firewall options

Update: I modified my firewall to allow inbound ICMP (IPv4/IPv6) and UDP (IPv4/IPv6) packets.

Firewall Rules Allow port 80, 443 and DNS

Because my internet provider has a dynamic IP, I set up a VPN with a static IP and whitelisted it for backdoor access.

Local Ubuntu ufw Firewall

I duplicated the rules in my local ufw (2nd level) firewall (and blocked mail)

UpCloud Download Speeds

I pulled down a 1.8GB Ubuntu 18.08 Desktop ISO 3 times from gigenet.com and the file downloaded in 32 seconds (57MB/sec). Nice.

Install Common Ubuntu Packages

I installed common Ubuntu packages.

Timezone

I checked the server’s time (I thought this was auto set before I deployed)?

I reset the time to Australia/Sydney.

Now the timezone is set 🙂

Shell History

I increased the shell history.

SSH Login

I created a ~/.ssh/authorized_keys file and added my SSH public key to allow password-less logins.

I added my pubic ssh key, then exited the ssh session and logged back in. I can now log in without a password.

Install NGINX

nginx/1.14.0 is now installed.

A quick GT Metrix test.

This image shows awesome static nginx performance ratings of of 99%

Install MySQL

Run these commands to install and secure MySQL.

Securing the MySQL server deployment.
> Would you like to setup VALIDATE PASSWORD plugin?: n
> New password: **********************************************
> Re-enter new password: **********************************************
> Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
> Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
> Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
> Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
> Success.

I disabled the validate password plugin because I hate it.

MySQL Ver 14.14 Distrib 5.7.22 is now installed.

Set MySQL root login password type

Set MySQL root user to authenticate via “mysql_native_password”. Run the “mysql” command.

Now let’s set the root password authentication method to “mysql_native_password”

Check authentication method.

Now we need to flush permissions.

Done.

Advertisement:



Install PHP

Install PHP 7.2

PHP 7.2.5, Zend Engine v3.2.0 with Zend OPcache v7.2.5-1 is now installed. Do update PHP frequently.

I made the following changes in /etc/php/7.2/fpm/php.ini

> cgi.fix_pathinfo=0
> max_input_vars = 1000
> memory_limit = 1024M
> max_file_uploads = 20M
> post_max_size = 20M

Install PHP Modules

sudo apt-get install php-pear php7.2-curl php7.2-dev php7.2-mbstring php7.2-zip php7.2-mysql php7.2-xml

Install PHP FPM

Configure PHP FPM config.

Edit /etc/php/7.2/fpm/php.ini

> cgi.fix_pathinfo=0
> max_input_vars = 1000
> memory_limit = 1024M
> max_file_uploads = 20M
> post_max_size = 20M

Reload php sudo service.

Install PHP Modules

Configuring NGINX

If you are not comfortable editing NGINX config files read here, here and here.

I made a new “www root” folder, set permissions and created a default html file.

I edited the “root” key in “/etc/nginx/sites-enabled/default” file and set the root a new location (e.g., “/www-root”)

I added these performance tweaks to /etc/nginx/nginx.conf

> worker_cpu_affinity auto;
> worker_rlimit_nofile 100000

I add the following lines to “http {” section in /etc/nginx/nginx.conf

Check NGINX Status

Install Open SSL that supports TLS 1.3

This is a work in progress. The steps work just fine for me on Ubuntu 16.04. but not Ubuntu 18.04.?

Installing Adminer MySQL GUI

I will use the PHP based Adminer MySQL GUI to export and import my blog from one server to another. All I needed to do is install it on both servers (simple 1 file download)

Use Adminer to Export My Blog (on Vultr)

On the original server open Adminer (http) and..

  1. Login with the MySQL root account
  2. Open your database
  3. Choose “Save” as the output
  4. Click on Export

This image shows the export of the wordpress adminer page

Save the “.sql” file.

I used Adminer on the UpCloud server to Import My Blog

FYI: Depending on the size of your database backup you may need to temporarily increase your upload and post sizes limits in PHP and NGINX before you can import your database.

Edit /etc/php/7.2/fpm/php.ini
> max_file_uploads = 100M
> post_max_size =100M

And Edit: /etc/nginx/nginx.conf
> client_max_body_size 100M;

Don’t forget to reload NGINX config and restart NGINX and PHP. Take note of the maximum allowed file size in the screenshot below. I temporarily increased my upload limits to 100MB in order to restore my 87MB blog.

Now I could open Adminer on my UpCloud server.

  1. Create a new database
  2. Click on the database and click Import
  3. Choose the SQL file
  4. Click Execute to import it

Import MuSQL backup with Adminer

Don’t forget to create a user and assign permissions (as required – check your wp-config.php file).

Import MySQL Database

Tip: Don’t forget to lower the maximum upload file size and max post size after you import your database,

Cloudflare DNS

I use Cloudflare to manage DNS, so I need to tell it about my new server.

You can get your server’s IP details from the UpCloud dashboard.

Find IP Details in UpCloud

At Cloudflare update your DNS details to point to the server’s new IPv4 (“A Record”) and IPv6 (“AAAA Record”).

Cloudflare DNS

Advertisement:



Domain Error

I waited an hour and my website was suddenly unavailable.  At first, I thought this was Cloudflare forcing the redirection of my domain to HTTP (that was not yet set up).

DNS Not Replicated Yet

I chatted with UpCloud chat on their webpage and they kindly assisted me to diagnose all the common issues like DNS values, DNS replication, Cloudflare settings and the error was pinpointed to my NGINX installation.  All NGINX config settings were ok from what we could see?  I uninstalled NGINX and reinstalled it (and that fixed it). Thanks UpCloud Support 🙂

Reinstalled NGINX

I reinstalled NGINX and reconfigured /etc/nginx/nginx.conf (I downloaded my SSL cert from my old server just in case).

Here is my /etc/nginx/nginx.conf file.

Here is my /etc/nginx/sites-available/default file (fyi, I have not fully re-setup TLS 1.3 yet so I commented out the settings)

SSL Labs SSL Certificate Check

All good thanks to the config above.

SSL Labs

Install WP-CLI

I don’t like setting up FTP to auto-update WordPress plugins. I use the WP-CLI tool to manage WordPress installations by the command line. Read my blog here on using WP-CLI.

Download WP-CLI

Move WP-CLI to the bin folder as “wp”

Test wp

Update WordPress Plugins

Now I can run “wp plugin update” to update all WordPress plugins

Update WordPress Core

WordPress core file can be updated with “wp core update

Troubleshooting: Use the flag “–allow-root “if wp needs higher access (unsafe action though).

Install PHP Child Workers

I edited the following file to setup PHP child workers /etc/php/7.2/fpm/pool.d/www.conf

Changes

> pm = dynamic
> pm.max_children = 40
> pm.start_servers = 15
> pm.min_spare_servers = 5
> pm.max_spare_servers = 15
> pm.process_idle_timeout = 30s;
> pm.max_requests = 500;
> php_admin_value[error_log] = /var/log/www-fpm-php.www.log
> php_admin_value[memory_limit] = 512M

Advertisement:



Restart PHP

Test NGINX config, reload NGINX config and restart NGINX

Output (14 workers are ready)

Memory Tweak (set at your own risk)

vm.swappiness = 1

Setting swappiness to a value of 1 all but disables the swap file and tells the Operating System to aggressively use ram, a value of 10 is safer. Only set this if you have enough memory available (and free).

Possible swappiness settings:

> vm.swappiness = 0 Swap is disabled. In earlier versions, this meant that the kernel would swap only to avoid an out of memory condition when free memory will be below vm.min_free_kbytes limit, but in later versions, this is achieved by setting to 1.[2]> vm.swappiness = 1 Kernel version 3.5 and over, as well as Red Hat kernel version 2.6.32-303 and over: Minimum amount of swapping without disabling it entirely.
> vm.swappiness = 10 This value is sometimes recommended to improve performance when sufficient memory exists in a system.[3]
> vm.swappiness = 60 The default value.
> vm.swappiness = 100 The kernel will swap aggressively.

The “htop” tool is a handy memory monitoring tool to “top”

Also you can use good old “watch” command to show near-live memory usage (auto-refreshes every 2 seconds)

Script to auto-clear the memory/cache

As a habit, I am setting up a cronjob to check when free memory falls below 100MB, then cache is automatically cleared (freeing memory).

Script Contents: clearcache.sh

I set the cronjob to run every 15 mins, I added this to my cronjob.

Sample log output

I will check the log (/scripts/clearcache.log) in a few days and view the memory trends.

After 1/2 a day Ubuntu 18.04 is handling memory just fine, no externally triggered cache clears have happened 🙂

Free memory over time

I used https://crontab.guru/every-hour to set the right schedule in crontab.

I rebooted the VM.

Swap File

FYI: Here is a handy guide on viewing swap file usage here. I’m not using swap files so it is only an aside.

After the system rebooted I checked if the swappiness setting was active.

Yes, swappiness is set.

File System Tweaks – Write Back Cache (set at your own risk)

First, check your disk name and file system

Take note of your disk name (e.g vda1)

I used TuneFS to enable writing data to the disk before writing to the journal. tunefs is a great tool for setting file system parameters.

Warning (snip from here): “I set the mode to journal_data_writeback. This basically means that data may be written to the disk before the journal. The data consistency guarantees are the same as the ext3 file system. The downside is that if your system crashes before the journal gets written then you may loose new data — the old data may magically reappear.

Warning this can corrupt your data. More information here.

I ran this command.

I edited my fstab to append the “writeback,noatime,nodiratime” flags for my volume after a reboot.

Edit FS Tab:

I added “writeback,noatime,nodiratime” flags to my disk options.

Updating Ubuntu Packages

Show updatable packages.

Update Packages.

Unattended Security Updates

Read more on Ubuntu 18.04 Unattended upgrades here, here and here.

Install Unattended Upgrades

Enable Unattended Upgrades.

Now I configure what packages not to auto update.

Edit /etc/apt/apt.conf.d/50unattended-upgrades

Find “Unattended-Upgrade::Package-Blacklist” and add packages that you don’t want automatically updated, you may want to manually update these (and monitor updates).

I prefer not to auto-update critical system apps (I will do this myself).

FYI: You can find installed packages by running this command:

Enable automatic updates by editing /etc/apt/apt.conf.d/20auto-upgrades

Edit the number at the end (the number is how many days to wait before updating) of each line.

> APT::Periodic::Update-Package-Lists “1”;
> APT::Periodic::Download-Upgradeable-Packages “1”;
> APT::Periodic::AutocleanInterval “7”;
> APT::Periodic::Unattended-Upgrade “1”;

Set to “0” to disable automatic updates.

The results of unattended-upgrades will be logged to /var/log/unattended-upgrades

Update packages now.

Almost done.

I Rebooted

Advertisement:



GT Metrix Score

I almost fell off my chair. It’s an amazing feeling hitting refresh in GT Metrix and getting sub 2-second score consistently.

GT Metrix

I ran a GT Metrix score again 2 days later and I get a 1.5-second result again.

1.5 Second Page Load

WebPageTest.org Test Score

Nice. I am not sure why the effective use of CDN has an X rating as I have the EWWW CDN and Cloudflare. First Byte time is now a respectable “B”, This was always bad.

Update: I found out the longer you set cache delays in Cloudflare the higher the score.

Web Page Test

GT Metrix has a nice historical breakdown of load times (night and day)

Upcloud Site Speed in GTMetrix

Google Page Speed Insight Desktop Score

This will help with future SEO rankings. It is well known that Google is pushing fast servers.

Page Speed Test

Google Chrome 69 Dev Console Audit (Desktop)

This is amazing, I never expected to get this high score.  I know Google like (and are pushing) sub 1-second scores.

Page Audit

My site is loading so well it is time I restored some old features that were too slow on other servers

  • I disabled Lazy loading of images (this was not working on some Android devices)
  • I re-added the News Widget and news images.

Added news feature

GTMetrix and WebpageTest sores are still good (even after adding bloat)

Benchmarks are still good

FYI: WordPress Plugins I use.

These are the plugins I use.

How I use these plugins to speed up my site.

  • I use EWWW Image Optimizer plugin to auto-compress my images and to provide a CDN for media asset deliver (pre-Cloudflare). Learn more about ExactDN and EWWW.io here.
  • I use Autoptimize plugin to optimise HTML/CSS/JS and ensure select assets are on my EWWW CDN. This plugin also removes WordPress Emojis, removed the use of Google Fonts, allows you to define pre-configured domains, Async Javascript-files etc.
  • I use BJ Lazy Load to prevent all images in a post from loading on load (and only as the user scrolls down the page).
  • GTmetrix for WordPress and Cloudflare plugins are for information only?
  • I use WP-Optimize to ensure my database of healthy and to disable comments/trackbacks and pingbacks.

Let’s Test UpCloud’s Disk IO in Chicago

Looks good to me, Read IO is a little bit lower than UpCloud’s Singapore data centre but still, it’s faster than Vultr.  I can’t wait for more data centres to become available around the world.

Why is UpCloud Disk IO so good?

I asked UpCloud on Twitter why the Disk IO was so good.

  • MaxIOPS is UpCloud’s proprietary block-storage technology. MaxIOPS is physically redundant storage technology where all customer’s data is located in two separate physical devices at all times. UpCloud uses InfiniBand (!) network to connect storage backends to compute nodes, where customers’ cloud servers are running. All disks are enterprise-grade SSD’s. And using separate storage backends, it allows us to live migrate our customers’ cloud servers freely inside our infrastructure between compute nodes – whether it be due to hardware malfunction (compute node) or backend software updates (example CPU vulnerability and immediate patching).

My Answers to Questions to support

Q1) What’s the difference between backups and snapshots (a Twitter user said Snapshots were a thing)

A1) Backups and snapshots are the same things with our infrastructure.

Q2) What are charges for backup of a 50GB drive?

A2) We charge $0.06 / GB of the disk being captured. But capture the whole disk, not just what was used. So for a 50GB drive, we charge $0.06 * 50 = $3/month. Even if 1GB were only used.

  • Support confirmed that each backup is charged (so 5 times manual backups are charged 5 times). Setting up a daily auto backup schedule for 2 weeks would create 14 billable backup charges.
  • I guess a 25GB server will be $1.50 a month

Q3) What are data charges if I go over my 2TB quota?

A3) Outgoing data charges are $0.056/GB after the pre-configured allowance.

Q4) What happens if my balance hits $0?

A4) You will get notification of low account balance 2 weeks in advance based on your current daily spend. When your balance reaches zero, your servers will be shut down. But they will still be charged for. You can automatically top-up if you want to assign a payment type from your Control Panel. You deposit into your balance when you want. We use a prepay model of payment, so you need to top up before using, not billing you after usage. We give you lots of chances to top-up.

Support Tips

  • One thing to note, when deleting servers (CPU, RAM) instances, you get the option to delete the storages separately via a pop-up window. Choose to delete permanently to delete the disk, to save credit. Any disk storage lying around even unattached to servers will be billed.
  • Charges are in USD.

I think it’s time to delete my domain from Vultr in Sydney.

Deleted my Vultr domain

I deleted my Vultr domain.

Delete Vultr Server

Done.

More Reading on UpCloud

https://www.upcloud.com/documentation/faq/

UpCloud Server Status

http://status.upcloud.com

What I would like

  1. Ability to name individual manual backups (tag with why I backed up).
  2. Ability to push user defined data from my VM to the dashboard
  3. Cheaper scheduled backups
  4. Sydney data centres (one day)

Advertisement:



Update: Post UpCloud Launch Tweaks (Awesome)

I had a look at https://www.webpagetest.org/ results to see where else I can optimise webpage delivery.

Optimisation Options

Disable dasjhicons.min.css (for unauthenticated WordPress users).

Find functions.php in the www root

Edit functions.php

Add the following

HTTP2 Push

I added http2 to my listening servers

I tested a http2 push page by defining this in /etc/nginx/sites-available/default 

Once I tested that push (demo here) was working I then defined two files to push that were being sent from my server

I used the WordPress Plugin Autoptimize to remove Google font usage (this removed a number of files being loaded when my page loads).

I used the WordPress Plugin WP-Optimize plugin into to remove comments and disable pingbacks and trackbacks.

WordPress wp-config.php tweaks

Tweaks Todo

  • Compress placeholder BJ Lazy Load Image (plugin is broken)
  • Solve 2x Google Analytics tracker redirects

Conclusion

I love UpCloud’s fast servers, give them a go (use my link and get $25 free credit).

I love Cloudflare for providing a fast CDN.

I love ewww.io’s automatic Image Compression and Resizing plugin that automatically handles image optimisations and pre Cloudflare/first hit CDN caching.

Read my post about server monitoring with Nixstats here.

Let the results speak for themselves (sub <1 second load times).

Results

I hope this guide helps someone.

Please consider using my referral code and get $25 credit for free.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

v1.9 Spelling and grammar

v1.8 Trial mode gotcha (deposit money ASAP)

v1.7 Added RSA Private key info

v1.7 – Added new firewall rules info.

v1.6 – Added more bloat to the site, still good.

v1.5 Improving Accessibility

v1.4 Added Firewall Price

v1.3 Added wp-config and plugin usage descriptions.

v1.2 Added GTMetrix historical chart.

v1.1 Fixed free typos and added final conclusion images.

v1.0 Added final results

v0.9 added more tweaks (http2 push, removing unwanted files etc)

v0.81 Draft  – Added memory usage chart and added MaxIOPS info from UpCloud.

v0.8 Draft post.

Measuring VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 2 of 4

by

How can you measure VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 2 of 4

Advertisement:



Read Part 1, Part 2, Part 3 or Part 4

Measure Disk Performance with Bonnie++

Installing Bonnie++ on Ubuntu

Read this. post on using Bonnie++

Benchmark disk IO with DD and Bonnie++

Starting Bonnie++

Bonnie++ Readme.

Disk io with bonnie++ on Vultr/Sydney

Disk io with bonnie++ on Digital Ocean/London

Disk io with bonnie++ on UpCloud/Singapore

Now read this site on how to make sense of this data

 

< PreviousNext >

Read Part 1, Part 2, Part 3 or Part 4

Measuring VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 1 of 4

by

How can you measure VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 1 of 4. Update: I moved my domain to UpCloud.

Advertisement:



Update (June 2018): I moved my domain to UpCloud (they are that awesome). Use this link to signup and get $25 free credit. Read the steps I took to move my domain to UpCloud here.

Upcloud Site Speed in GTMetrix

Comparing Digital Ocean/Vultr and UpCloud Disk IO

I have a number of guides on moving away from CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean (all in the search of extra performance) but how do you know when a server performance is ok apart from running GT Metrix and other external site benchmarking tools.

This post is split up as it was too long.

Read Part 1, Part 2, Part 3 or Part 4

Spoiler: It all depends on where your server is located and what you do with it (Tweaks will improve the performance).

P.S This is NOT a paid endorsement or conclusive test (just a quick benchmark/review).

What does your server do?

You need to know what your server does 24/7 and what resources the services need.

I use htop to view real-time and historical usage data for each process.

htop

Tweaking Advice

A friend gave me good advice re-tweaking a cheap host to get good performance

I am not a fan of just throwing more money at a host and expecting better performance. Host have unique features and cons., there is no shortage of hosts or host cons.

How can you run synthetic benchmarks to determine comparable performance metrics?

WARNING: Comparing synthetic benchmarks can be far removed from real-world speeds. Benchmark results below were from 3 different servers I have on 3 different hosts in three different locations (the only thing the same was the use of Ubuntu 16.04 $5/m servers). These results are not scientific and should not be used to compare host providers. Benchmark runs were one-off (not averages over multiple timezones/days).

Disk Performance

Speaking of disk performance I noticed this the other day on the RunCloud blog. Faster than SSD (UpCloud)?

UpCloud Faster-than-SSD Cloud Hosting Server (Promo Code Inside)

Runcloud is a server management console that can interface with your domains (read my old review here).  I don’t use Runcloud but it is great for those who need a GUI to help manage VM via a dashboard. However, I prefer to know what is going on under the hood. I have investigated webmin in the past though.

Let’s do a quick IO benchmark test between UpCloud, Digital Ocean and Vultr on similarly low end $5/m servers,

Good advice on command line benchmarking tools from a friend.


Installing iozone to test disk performance

I searched for a post on using iozone (Thanks thegeekstuff).  I will be reviewing the “Writer report” and “Reader report”. Read more about iozone here.

View the iozone page for how to break down results.

iozone results breakdown

(image snip from http://www.iozone.org/)

Install iozone on Ubuntu

Run an iozone disk test and output the results to a spreadsheet.

Now let’s run a Read/Write test on Vultr/Digital Ocean and UpCloud. Multiple runs were not performed, this is not a scientific test (just a simple benchmark test (as is, ignoring sever load and local infrastructure/timezone load)).

iozone Benchmark results for VultrRead” (Sydney)

 “4” “8” “16” “32” “64” “128” “256” “512” “1024” “2048” “4096” “8192” “16384”
6421337303363612427406245647866421025
1282248149353656641359587082197413595811720614
2561884399269916138790453667079597167856870205687020
51231404883736016368473342625234610256263881650671425684095
1024161780819392073411938399976240487784614246308368058850836609617
2048192651025696784423683499761839370754596052896324354252449715854707314
409617016832151300420992050017004751325486984553892463647681492852162070354347346
8192206342423293463203763293728032214853232699362643136507063789200411060337150454350542
163841738553277836233976133679205369344231715013524291339358630040243552531345657426938452488861
327680000295289435371533574875376815547196133890280339499527352222542914
655360000405748936107893619967380007832753273591212360718817704262826659
1310720000355227018907425275167372733935276071753893323473623411111378601
2621440000379858613020211491429371282532288163757963371551025924852481061
5242880000275875624879233705741180732821183093675988319636733943302396842

iozone Benchmark results for Digital OceanRead” (London)

4 “8” “16” “32” “64” “128” “256”  “512”  “1024”  “2048” “4096”  “8192”  “16384”
644564786710039790061791040217812902017
12847174347082197854812497958961056714010779307
256484091170731328271916986843310148242106515981E+07
51247426166909408814039993042929638369100440891E+0710044089
102442490535917516620834375375999300377104549847E+0671131619946527
204838854316967792660354968456291040188398080369E+06790383693084977817519
40962506983595323162636116953144777437962250286E+068081580768397280815808240513
81923665114485046354793176141364627712061086086E+0665699835732541716603366334025479317
163843673501482858454161826187150661476162988726E+06643031059840336402750604615947918833405527
327680000469254261409296E+06629564252312246545707578110845134753702577
655360000631543058301316E+06644469562191256473838533859542481183679324
1310720000613000264614966E+06595806859834236387547613807839948883602079
2621440000645674663237276E+06650414663901766486151643396339551653654188
5242880000166733763814566E+06644570864487146421071598120041551853770740

iozone Benchmark results for UpCloudRead” (Singapore)

 “4” “8” “16” “32” “64” “128” “256” “512” “1024” “2048” “4096” “8192” “16384”
6464210256421025108215241290201715972885
128488928164061389129573107793071420079414200794
25653206713879045107583228815202102450711281227712228612
512430525051154228844453823403670919528394979754017010235583
10244339202476263058212716163794681951146745106479979818391810230845
20484204968531948458008515816563624356663780055953632685108979403678229438
409645260135556581481794854045047301864575963458102806007355691953886209456281934
8192429829550190935927357603670267813416082655585563665275466553692679206564661264437634
163844282172584955863139196635840674195866570546423097553662265585756442970452703237847773901898
327680000582546054234086504198666538563653296426343526307637186053705971
655360000690807566231166493259660973863118056483610548967440359823561526
1310720000565018057189492465429539125334959115784844536740837334903582175
2621440000681462766912506189661590678660816455799913524791941212503637601
5242880000640476463092635673979575160962882456305103597868039119843767116

iozone Benchmark results for VultrWrite” (Sydney)

 “4” “8” “16” “32” “64” “128” “256” “512” “1024” “2048” “4096” “8192” “16384”
64289322532815507625429630566551
128398921465304434078417212669577821147
256530031613985820398474937891956815414370025
512387576754083709019819085702295609421924123496091
102429723344852271608992348885407381734012031371072453601636
204840869763465569538313581345496571295458821154797520964207258493
409623615043380412157741245025820832809958137133991426992108310046821481431
819261111366667780628671521977982582429487594787009110463787911921023592453248
16384435454706149718313845499893495888068812778842885820591941120839610862672406590
327680000465196786067938881627294890917968147872369871329842843
655360000515057790172937568915601897235867197907562852002743856
13107200005010914804928131478708868802398053336846301117578633185
2621440000387126323185323656473258405744369599422554468992453563
5242880000325588380450392965451608303255355148386250432054416512

iozone Benchmark results for Digital OceanWrite” (London)

 “4” “8” “16” “32” “64” “128” “256” “512” “1024” “2048” “4096” “8192” “16384”
64831569566551127944713639611392258
1286524881319723142102399089116631391561553
2561185399115232315343421598292182669517075891514860
51211665991296159139918916209801620980136192015897791672748
1024107919013212001584972191756215926121701108171812014629601643814
20481210394147017216217191550584179637816437531713598175958116491171488257
40969165131287575157471814065941742237173414816524181583280159934616610451533532
8192110974513187481178567154420115023401371492146674714995211479759156487812912921347609
163841106205128208413740371503649142939814614071496119157813215472891333431120337111988151501316
327680000127091414065891513114146822615583031552038151633614432801440360
655360000131932213279841311504141195512669881359645138644613470921368295
1310720000110065812293261227197131863112655521233306122774712378961233502
2621440000116716010640781155828118518510861521193673108087210626111141960
524288000097783511248161052757121918311289721140177109195411416351132063

iozone Benchmark results for UpCloudWrite” (Singapore)

 “8” “16” “32” “64” “128” “256” “512” “1024” “2048” “4096” “8192” “16384”
6411432231255511156243614525281279447
128145176414061361543594150465918525201749872
2561642294182980819708711855098180216719529472000242
51215374241854787180187322947961983258212452618957211417662
1024143413815534421609925193135920983752044438187241917683451892218
20481562145190177118172811848169196709712962402267786208149719157682007554
409616253721966378192474113420921950306207817519148731459656199515221028491326855
8192144406218083301956503192439721273002042328213563019864782062557206131913370161812049
163841667066182024818984952051339201253021110802119806149121720608751974254193478918158231921911
327680000205750614545372075621207089918697952052896189234718553821873440
655360000206712720776732088994217980920874712099108190472316425051832204
1310720000123466318249591304340177551412874811560379163199210856091675467
2621440000685774808487823824662524681762548308814946645663732176
5242880000547296517384503422521173538714518429528950529593512944

Here is my quick unscientific take on a one pass benchmark results above.

Vultr (Read) Vultr (Write) Digital Ocean (Write) UpCloud (Read) UpCloud (Write)

These results need some decoding.

Next >>

Read Part 1, Part 2, Part 3 or Part 4

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Update (June 2018): I moved my domain to UpCloud (they are that awesome). Use this link to signup and get $25 free credit. Read the steps I took to move my domain to UpCloud here.

Upcloud Site Speed in GTMetrix

Revision History

v1.2 added the fact that I Moved to UpCloud.

v1.1 Re ran iozone -a -b iozone.xls on all servers.

v1.0 Initial post

Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX

by

This guide will aim to inform you of strong cryptographic protocols and ciphers to use on a web server on Ubuntu 16.04 and NGINX.

Advertisement:



Secure encryption protocols are used to secure communications between a server and client. Older SSL protocols like Netscape’s Secure Sockets Layer (SSL) are flagged as DO NOT USE use by the Internet Engineering Task Force (IETF). Newer protocols like Transport Layer Security (TLS) are the newer recommended SSL protocols to use.

Wikipedia Article on Cryptographic Protocol’s

A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used. A sufficiently detailed protocol includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.

Wikipedia on Ciphers

In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, “cipher” is synonymous with “code,” as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

Wikipedia article on Elliptic-curve cryptography

Wikipedia article on Diffie–Hellman key exchange

Bad SSL Assumptions I have heard for not using HTTPS

  • I am not a bank so I don’t need HTTPS
  • SSL overhead is was too high on servers.
  • My site only has static content, I don’t need HTTPS
  • I don’t need SSL to secure my site I just need to be less of a target than others
  • I don’t hold confidential information (Wrong)

Don’t be Lazy and secure a site poorly

A local business that wanted me to buy their goods is not convincing me.

Bad SSL

(tested with SSL labs and asafaweb)

Why SSL

If you are unsure of why you need SSL visit https://doesmysiteneedhttps.com/, Avoiding the Not Secure Warning in Chrome, Why HTTPS matters and securing your site with HTTPS.

Google has an HTTPS usage graph for all communications to its services (hint it’s growing): https://transparencyreport.google.com/https/overview?hl=en

SSL Usage

SSL Future

SSL is here to stay, Non-SSL sites will soon be labelled insecure, Non-SSL sites will have Search Engine Optimization (SEO) adversely affected.

http insecure

Also, secure pages will be treated as normal (not flagged as secure)

History of Protocol’s – Launch Dates

  • SSL 1.0 (never launched)
  • SSL 2.0 1995
  • SSL 3.0 1996
  • TLS 1.0 1999
  • TLS 1.1 2006
  • TLS 1.2 2008
  • TLS 1.3 2018

Sites like https://caniuse.com can show you if our browser an use new protocols like TLS (e.g TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

  • TLS 1.0 is supported by All Browsers
  • TLS 1.1 is supported on IE11+, Edge, Firefox 24+, Chrome 22+, Safari 7+, Opera 12.1+, iOS Safari 5.1+, Chrome 62 on Android 5+ etc
  • TLS 1.2 is supported on IE11+, Edge, Firefox 27, Chrome 30+, Safari 7+, Opera 17+, iOS Safari 5.1, Chrome 62 on Android 5+ etc
  • TLS 1.3 is not Supported by IE, Edge, Safari, iOS Safari, Android but is supported by Firefox 52, Chrome 56, Opera 43.

TLS 1.3

I have a guide here on setting up TLS 1.3 on Ubuntu 16.05 and Chrome, I use the draft build of OpenSSL but Open SSL 1.1.1 will support TLS 1.3. I am still figuring our TLS 1.3 on Ubuntu 18.04.

At the time of writing, you need to opt into TLS 1.3 draft specification in Chrome.

Enable TLS in Chrome

Cipher or Cypher

Read this page to see the history of the word Cipher or Cypher?

Buying an SSL certificate

Opening your wallet may not buy you the best certificate either, this was an SSL Labs review of a $150 SSL certificate Ii purchased a few years ago from a CPanel web host.

Bad CPanel SSL Certificate

I don’t buy commercial certificates anymore, I prefer free SSL certificates from Lets Encrypt

SSL Strength

I prefer to set up my own (free) SSL certificate with Lest Encrypt and tets those certificated with https://dev.ssllabs.com/ssltest/

You can configure your web server to only use certain protocols.

And define preferred ciphers

SSL Test 2018

Don’t forget to renew your SSL certificates ahead of time.

Also run a modern browser like Google Chrome Canary as some old browsers thnk expired SSL certificates are Secure

Ciphers

OpenSSL has implemented support for five TLS v1.3 cipher suites:

  • TLS13-AES-256-GCM-SHA384
  • TLS13-CHACHA20-POLY1305-SHA256
  • TLS13-AES-128-GCM-SHA256
  • TLS13-AES-128-CCM-8-SHA256
  • TLS13-AES-128-CCM-SHA256

Test OpenSSL Cipher Suites

A handy guide about using ciphers

SSL/TLS: How to choose your cipher suite

Testing a remote host’s ciphers and protocols with cipherscan

Clone this repository: https://github.com/mozilla/cipherscan

Scan a site

Result

Cipher scan can also recommend settings to change to help you harden a server (based on https://wiki.mozilla.org/Security/Server_Side_TLS)

Analyze Command

Results

More info on hardening here.

TLS 1.3 Information

More Reading

SSLLabs Grading of certificates

Read about SSL Labs grading here

snip from here

  • A+ – exceptional configuration
  • A – strong commercial security
  • B – adequate security with modern clients, with older and potentially obsolete crypto used with older clients; potentially smaller configuration problems
  • C – obsolete configuration, uses obsolete crypto with modern clients; potentially bigger configuration problems
  • D – configuration with security issues that are typically difficult or unlikely to be exploited, but can and should be addressed
  • E – unused
  • F – exploitable and/or patchable problems, misconfigured server, insecure protocols, etc.

We wish to make clear that, while A+ is clearly the desired grade, both A and B grades are acceptable and result in adequate commercial security. The B grade, in particular, may be applied to configurations designed to support very wide audiences, many of whom use very old programs to connect. The C grade is generally used for configurations that don’t follow best practices. Grades D and F are used for servers with serious configuration and security issues.

REady to go SSL configuration: https://cipherli.st/

Download ready to go Diffie–Hellman primes. https://2ton.com.au/dhtool/

We have dedicated 48 CPU cores to the task of continuously generating 2048, 3072, 4096 and 8192 bit DH parameters, and the public service we present here allows access to the most-recent 128 of each.

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography.

Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical channel, such as paper key lists transported by a trusted courier. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.

Diffie–Hellman is used to secure a variety of Internet services. However, research published in October 2015 suggests that the parameters in use for many DH Internet applications at that time are not strong enough to prevent compromise by very well-funded attackers, such as the security services of large governments.

More to come, I hope this guide helps someone.

fyi:

Windows Protocol/Cipher installer: https://www.nartac.com/

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

V1.2 expired and use a modern browser

v1.1 bad SSL

v1.0 Initial post