Skip to main content

How to Secure/Harden CWP Nginx Server ( Admin, Client & Webmail Panel ) with Strong Ciphers ?

By Default CWP Server is using Modified Nginx server which is called CWP server and It is used for Admin, Client & Webmail Panel Login. I am also using Let's Encrypt SSL for my CWP Admin, Client & Webmail Panel .
Follow This Article : ( Part 1)
CWP: How to Configure Let's Encrypt SSL Certificate for your server Hostname/FQDN on CWP7.admin
N.B: I am using the below cipherlist
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate&openssl-version=1.0.2k-fips
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/

CWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://server1.datahead.biz:2030
CWP Admin Panel Link: http://server1.datahead.biz:2086
CWP Admin Panel SSL Link: https://server1.datahead.biz:2031
CWP Admin Panel SSL Link: https://server1.datahead.biz:2087

CWP User Panel Link (by hostname)
CWP User Panel Link: http://server1.datahead.biz:2082
CWP User Panel SSL Link: https://server1.datahead.biz:2083

CWP Webmail Panel Link (by hostname)
CWP Webmail Panel Link: http://server1.datahead.biz:2095
CWP Webmail Panel SSL Link: https://server1.datahead.biz:2096

Admin Panel Directory:
# cd /usr/local/cwpsrv/conf/
User Panel Directory:
# cd /usr/local/cwpsrv/conf/
For Admin Panel:
Now Open the cwpsrv.conf file , find the below code marked as red and comment(#) it .
Use the code that is marked as blue . Don't forget to replace the Server FQDN .
# vi /usr/local/cwpsrv/conf/cwpsrv.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
For Client Panel:
# vi /usr/local/cwpsrv/conf.d/users.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
For Webmail Panel:
# vi /usr/local/cwpsrv/conf.d/webmail.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
Secure your api ( Do the same )
# vi user-api.conf 
# vi api.conf
Finally check the syntax and reload/restart the server
# /usr/local/cwpsrv/bin/cwpsrv -t
# systemctl restart cwp-phpfpm
# systemctl restart cwpsrv
Check your SSL Certificate: 
https://www.ssllabs.com/ssltest/index.html
Secure/Harden CWP Nginx Server

Comments

Most Popular

CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

After hosting my parent domain on CWP7.admin, I am getting dns error and i'm not able access my server using my server FQDN but i can access using my server IP.
So what can i do for that problem ?

Yes, you have to fix the error .

Environment Details:
Distro Name: CentOS Linux release 7.6.1810 (Core)
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
WebServer: Apache Only
FQDN: host.datahead.biz
IP: 192.120.10.3

1.Change Hostname Permanently:
# hostnamectl set-hostname host.datahead.biz# hostnamectl Static hostname: host.datahead.biz Icon name: computer-vm Chassis: vm Machine ID: 7400071490ea4f7d931374824ad4b52c Boot ID: 6e1f2d76495d4b318c25c4a1195aa130 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.14.4.el7.x86_64 Architecture: x86-64 It also writes this information to the /etc/hostname file as well.
# cat /etc/hostname host.d…

CWP DNS Part 2 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

7.Open Main Configuration file
# vi /etc/named.conf 12 options { 13 listen-on port 53 { any; }; 14 listen-on-v6 port 53 { ::1; }; 15 directory "/var/named"; 16 dump-file "/var/named/data/cache_dump.db"; 17 statistics-file "/var/named/data/named_stats.txt"; 18 memstatistics-file "/var/named/data/named_mem_stats.txt"; 19 recursing-file "/var/named/data/named.recursing"; 20 secroots-file "/var/named/data/named.secroots"; 21 allow-query { any; }; 33 recursion no; 34 35 dnssec-enable yes; 36 dnssec-validation yes; 54 zone "." IN { 55 type hint; 56 file "named.ca"; 57 }; 58 59 include "/etc/named.rfc1912.zones"; 60 include "/etc/named.root.key"; 61 …