Skip to main content

How to Secure/Harden CWP Nginx Server ( Admin, Client & Webmail Panel ) with Strong Ciphers ?

By Default CWP Server is using Modified Nginx server which is called CWP server and It is used for Admin, Client & Webmail Panel Login. I am also using Let's Encrypt SSL for my CWP Admin, Client & Webmail Panel .
Follow This Article : ( Part 1)
CWP: How to Configure Let's Encrypt SSL Certificate for your server Hostname/FQDN on CWP7.admin
N.B: I am using the below cipherlist
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate&openssl-version=1.0.2k-fips
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/

CWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://server1.datahead.biz:2030
CWP Admin Panel Link: http://server1.datahead.biz:2086
CWP Admin Panel SSL Link: https://server1.datahead.biz:2031
CWP Admin Panel SSL Link: https://server1.datahead.biz:2087

CWP User Panel Link (by hostname)
CWP User Panel Link: http://server1.datahead.biz:2082
CWP User Panel SSL Link: https://server1.datahead.biz:2083

CWP Webmail Panel Link (by hostname)
CWP Webmail Panel Link: http://server1.datahead.biz:2095
CWP Webmail Panel SSL Link: https://server1.datahead.biz:2096

Admin Panel Directory:
# cd /usr/local/cwpsrv/conf/
User Panel Directory:
# cd /usr/local/cwpsrv/conf/
For Admin Panel:
Now Open the cwpsrv.conf file , find the below code marked as red and comment(#) it .
Use the code that is marked as blue . Don't forget to replace the Server FQDN .
# vi /usr/local/cwpsrv/conf/cwpsrv.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
For Client Panel:
# vi /usr/local/cwpsrv/conf.d/users.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
For Webmail Panel:
# vi /usr/local/cwpsrv/conf.d/webmail.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
Secure your api ( Do the same )
# vi user-api.conf 
# vi api.conf
Finally check the syntax and reload/restart the server
# /usr/local/cwpsrv/bin/cwpsrv -t
# systemctl restart cwp-phpfpm
# systemctl restart cwpsrv
Check your SSL Certificate: 
https://www.ssllabs.com/ssltest/index.html
Secure/Harden CWP Nginx Server

Comments