1
00:00:04,810 --> 00:00:10,920
In the last lesson of the previous performance section of this course we generated some self scientific

2
00:00:10,920 --> 00:00:14,670
ads and sure how to an able SSL connections.

3
00:00:14,910 --> 00:00:21,680
That said our implementation was just about as basic as it can get and yielded nothing more than a default.

4
00:00:21,680 --> 00:00:28,740
H T T P S connection in this lesson then the first of the new security section will continue with that

5
00:00:28,770 --> 00:00:36,510
SSL configuration by discussing a few key SSL specific configuration directives and see how to optimize

6
00:00:36,570 --> 00:00:40,110
our HTP s connections before we begin.

7
00:00:40,110 --> 00:00:46,980
However I'll just remove this index stock patch p value from the index directive allowing us to access

8
00:00:46,980 --> 00:00:49,650
that demo site from the root you are.

9
00:00:50,130 --> 00:00:51,590
And to keep things simple.

10
00:00:51,600 --> 00:00:59,100
I'll also remove these Bush directives keeping the htb to connection however save this.

11
00:00:59,910 --> 00:01:07,350
Reload the engine configuration and check this is working as expected in the browser by removing this

12
00:01:07,380 --> 00:01:09,320
index dot htl request.

13
00:01:09,330 --> 00:01:10,220
You are right.

14
00:01:10,530 --> 00:01:11,770
And that works.

15
00:01:11,850 --> 00:01:15,360
We get the demo side loading from the root you are L..

16
00:01:15,360 --> 00:01:23,190
Step 1 then when dealing with an H T T P S request is providing some or other fallback or handler for

17
00:01:23,220 --> 00:01:31,690
insecure HTP connections at the moment we have H T T P S specified in the request but should I remove

18
00:01:31,690 --> 00:01:32,330
this.

19
00:01:32,400 --> 00:01:33,520
Making this request.

20
00:01:33,540 --> 00:01:34,860
H T T P.

21
00:01:36,040 --> 00:01:37,780
We get a connection error.

22
00:01:38,110 --> 00:01:46,300
This being as the request is going to our IP address on port 80 for HTP and our server not having any

23
00:01:46,300 --> 00:01:52,410
lesson directives on port 80 to prevent this from happening then we have two options.

24
00:01:52,420 --> 00:01:59,260
Number one is to also listen on port 80 or in other words making our server available over an insecure

25
00:01:59,260 --> 00:02:00,260
connection.

26
00:02:00,260 --> 00:02:07,480
Now whilst this might have been fine just a couple of years ago htb s has become a standard and really

27
00:02:07,480 --> 00:02:11,210
there's no legitimate reason to use HTP any longer.

28
00:02:11,380 --> 00:02:17,950
And on top of security and search engine optimization reasons you'll also sacrifice the added performance

29
00:02:17,950 --> 00:02:24,210
of HTP too as it's only available over SSL option number two then.

30
00:02:24,220 --> 00:02:33,050
And by far the best option is to redirect all hgt requests to the equivalent HTP s request.

31
00:02:33,130 --> 00:02:38,830
There's a few ways of achieving this but again the most reliable and easiest is going to be creating

32
00:02:38,830 --> 00:02:44,670
a dedicated virtual host or server context in the h.t. dbe context.

33
00:02:44,670 --> 00:02:50,310
Then I'll add a new server which listens on port 80.

34
00:02:50,350 --> 00:02:57,380
So HTP with this same server name as we're listening on the same IP or domain.

35
00:02:57,730 --> 00:03:07,180
I'll copy this and all the server needs to do regardless if the request is redirect with a 3 0 1 status

36
00:03:07,180 --> 00:03:12,290
code which is moved permanently to HTP s.

37
00:03:12,340 --> 00:03:17,440
So port for Forth 3 server name being this variable.

38
00:03:17,740 --> 00:03:26,050
But this can also be host as the request host must be this IP or even a hard coded domain or IP as we

39
00:03:26,050 --> 00:03:26,690
have a year.

40
00:03:26,800 --> 00:03:32,910
All the same I'll stick to a host as it's the most descriptive and the request.

41
00:03:32,920 --> 00:03:33,990
You are right.

42
00:03:34,240 --> 00:03:35,500
That's it.

43
00:03:35,500 --> 00:03:44,370
Save this reload configuration refresh this HTP request and this time we get redirected to the H T T

44
00:03:44,360 --> 00:03:45,970
P S equivalent.

45
00:03:45,970 --> 00:03:47,800
So everything works.

46
00:03:47,800 --> 00:03:52,900
We can also double check this on the command line call their headers.

47
00:03:53,140 --> 00:03:55,540
Allowing that self science to difficult.

48
00:03:55,710 --> 00:04:07,510
H t D P and the server I b enter and again 3 0 1 moved permanently redirecting to H T T P S So that's

49
00:04:07,510 --> 00:04:14,980
our requests sorted and we can be assured that all requests will end up in this SSL server next then.

50
00:04:15,010 --> 00:04:22,710
Let's see how to improve upon this as Al encryption and make our server more secure in the server context.

51
00:04:22,720 --> 00:04:30,580
The first thing we'll do is disable S S L or more specifically the S S L protocol C whilst we still

52
00:04:30,580 --> 00:04:39,760
refer to and write this as s s l the SSL protocol or secure sockets layer has been outdated and replaced

53
00:04:39,790 --> 00:04:44,630
for the most part by the newer and better t o s or transport.

54
00:04:44,630 --> 00:04:54,400
Lay a security protocol which to an able leaving the SSL protocol out we can do by specifying SSL protocols

55
00:04:55,000 --> 00:05:06,560
t l s v one or Version 1 t l es version one point one and T O S version one point two there were hgt

56
00:05:06,560 --> 00:05:10,540
be connections now being encrypted using t o s only.

57
00:05:10,540 --> 00:05:13,720
Rather than the older s s l protocol.

58
00:05:13,720 --> 00:05:21,580
Next we can set which cipher suite should be used by the t o s protocol to encrypt our connection.

59
00:05:21,580 --> 00:05:28,070
First we need to tell engine X that we are going to do this by setting the SSL prefer Servat siphesihle

60
00:05:28,100 --> 00:05:33,850
directive 2 on then using the SSL scifres directive.

61
00:05:34,060 --> 00:05:38,640
We can set a string of suites to use and ones which should not be used.

62
00:05:38,770 --> 00:05:47,590
Like so each suite year being separated by a colon and the want not to use being prefixed with an exclamation

63
00:05:48,040 --> 00:05:49,430
like this simple m.d..

64
00:05:49,440 --> 00:05:49,830
5.

65
00:05:49,830 --> 00:05:51,040
Sweet.

66
00:05:51,100 --> 00:05:57,400
Now the selection of preferred cipher suite isn't a very definite selection and you'll most likely find

67
00:05:57,400 --> 00:06:00,250
a number of these combinations on the Internet.

68
00:06:00,280 --> 00:06:06,250
This one here is very solid but might also become outdated as some of these suites become vulnerable

69
00:06:06,250 --> 00:06:08,390
due to exploits etc..

70
00:06:08,680 --> 00:06:10,520
Feel free to use this combination.

71
00:06:10,540 --> 00:06:15,630
Or alternatively a quick search will provide some up to date combinations.

72
00:06:15,640 --> 00:06:20,520
Just make sure you get your preferred sweet combination from a reputable source.

73
00:06:20,860 --> 00:06:29,980
Next with our cipher suites optimized will enable diffie hellman key exchange or in short d h parameters

74
00:06:30,610 --> 00:06:35,460
how this works is far beyond the scope of this course but basically having D.

75
00:06:35,760 --> 00:06:42,750
Parameters in abled allows your server to perform key exchanges meaning between the client and the server

76
00:06:43,020 --> 00:06:45,220
with perfect secrecy.

77
00:06:45,250 --> 00:06:49,030
I've linked to a couple of in-depth articles in the list and resources.

78
00:06:49,050 --> 00:06:51,760
Should you want to find out how this works exactly.

79
00:06:51,930 --> 00:07:00,070
But a very good addition to any hgt be a server then to enable the age parameters we can add SSL underscored.

80
00:07:00,070 --> 00:07:00,660
D h.

81
00:07:00,660 --> 00:07:06,210
Paran and specify where our generator d.h. parameters can be found.

82
00:07:06,330 --> 00:07:15,150
We've not yet created these but I'll say slash it see slash engine X slash S S L So with those certificates

83
00:07:15,420 --> 00:07:20,490
slash d h Paran dot P E M save this.

84
00:07:20,670 --> 00:07:26,160
But before we can reload in generics let's generate those d parameters.

85
00:07:26,310 --> 00:07:33,060
Again using the open SSL command line tools that we used earlier to generate our certificates say open

86
00:07:33,060 --> 00:07:42,480
s s l d h per ram specifying the size which very importantly must match that of our private key as we

87
00:07:42,480 --> 00:07:44,550
set it when generating the key.

88
00:07:45,530 --> 00:07:52,540
So two thousand and forty eight writing this file out to that location we specified in the engine X

89
00:07:52,550 --> 00:08:03,470
configuration slash C slash engine X slash s s l d h boram Dot P E M enter and as per this message this

90
00:08:03,470 --> 00:08:05,490
can take a few minutes to complete.

91
00:08:05,750 --> 00:08:08,780
I'll just fast forward and done.

92
00:08:08,780 --> 00:08:13,150
List the contents of that SSL directory and there we have it.

93
00:08:13,280 --> 00:08:20,090
Meaning we should now be able to reload this configuration without any errors reload of form a call

94
00:08:20,090 --> 00:08:23,450
request again and everything works.

95
00:08:24,050 --> 00:08:26,600
Back to the configuration and the next.

96
00:08:26,600 --> 00:08:35,240
Very simple configuration to improve an exclusively SSL enabled side is enabling h s t s or strict transport

97
00:08:35,240 --> 00:08:36,570
security.

98
00:08:36,620 --> 00:08:40,950
This is a header that tells the browser not to load anything of HDD.

99
00:08:40,950 --> 00:08:46,630
Be meaning we can minimize redirects from Port 80 to board for 4 3.

100
00:08:46,760 --> 00:08:54,230
Just a very small but valuable tweak add a header with the name strict transport security.

101
00:08:55,130 --> 00:09:00,960
And the value of Max age equals one year in seconds.

102
00:09:01,040 --> 00:09:02,210
Always.

103
00:09:03,080 --> 00:09:07,500
Next we can enable a simple cash for our SSL sessions.

104
00:09:07,700 --> 00:09:13,250
If you recall from a previous lesson I mentioned that the SSL connection involves a handshake between

105
00:09:13,250 --> 00:09:18,170
the client and the server in order to be able to read each other's encrypted data.

106
00:09:18,370 --> 00:09:24,220
This session cash then allows the server to cash those handshakes for a set amount of time.

107
00:09:24,470 --> 00:09:34,010
Thus improving SSL connection times so to configure a session cache zone say SSL session cash the default

108
00:09:34,050 --> 00:09:41,020
cashed I've been bowled in but this is limited to a specific worker process and really not very useful.

109
00:09:41,180 --> 00:09:48,830
So instead then we'll set this to a cash type of shared meaning the session cash is kept in memory and

110
00:09:48,830 --> 00:09:51,490
can be accessed by any worker process.

111
00:09:51,530 --> 00:09:53,080
A much better option.

112
00:09:53,330 --> 00:10:01,940
If there's memory zone and name s s l and a size Auty Meg should be ample for most sites worth an S

113
00:10:01,940 --> 00:10:08,860
S L session time out meaning how long to keep a session cashed for off for hours.

114
00:10:08,880 --> 00:10:14,150
Again this not being a strict setting but four hours provides a decent amount of time for returning

115
00:10:14,150 --> 00:10:15,130
users.

116
00:10:15,500 --> 00:10:21,950
And lastly in order to use this session cache with out actually having the server access the cache we

117
00:10:21,950 --> 00:10:22,730
can enable.

118
00:10:22,730 --> 00:10:23,490
S s l.

119
00:10:23,510 --> 00:10:25,090
Session tickets.

120
00:10:25,850 --> 00:10:31,580
This basically means provide the browser with a ticket which validates the SSL session.

121
00:10:31,850 --> 00:10:38,480
This ticket is issued by the server so it's trusted and allows us to bypass reading from the session

122
00:10:38,510 --> 00:10:39,600
cache.

123
00:10:39,620 --> 00:10:44,990
It does however mean we can disable the memory cache as we cannot be sure the client holds a ticket

124
00:10:45,410 --> 00:10:52,700
but it optimize server resources in reducing SSL session lookups that covers the very most important

125
00:10:52,700 --> 00:10:56,710
parts of fine tuning and optimizing your SSL connection.

126
00:10:56,810 --> 00:11:00,870
So let's make sure this is all still working before finishing up.

127
00:11:00,890 --> 00:11:05,810
Save all this check the current configuration for any errors.

128
00:11:05,810 --> 00:11:13,070
Everything is fine reload and when I perform a call request we get that expected indexed.

129
00:11:13,100 --> 00:11:17,630
HDL page over an optimized HTP connection.