Skip to main content

How to Secure/Harden CWP Nginx Server ( Admin, Client & Webmail Panel ) with Strong Ciphers ?

By Default CWP Server is using Modified Nginx server which is called CWP server and It is used for Admin, Client & Webmail Panel Login. I am also using Let's Encrypt SSL for my CWP Admin, Client & Webmail Panel .
Follow This Article : ( Part 1)
CWP: How to Configure Let's Encrypt SSL Certificate for your server Hostname/FQDN on CWP7.admin
N.B: I am using the below cipherlist
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate&openssl-version=1.0.2k-fips
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/

CWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://server1.datahead.biz:2030
CWP Admin Panel Link: http://server1.datahead.biz:2086
CWP Admin Panel SSL Link: https://server1.datahead.biz:2031
CWP Admin Panel SSL Link: https://server1.datahead.biz:2087

CWP User Panel Link (by hostname)
CWP User Panel Link: http://server1.datahead.biz:2082
CWP User Panel SSL Link: https://server1.datahead.biz:2083

CWP Webmail Panel Link (by hostname)
CWP Webmail Panel Link: http://server1.datahead.biz:2095
CWP Webmail Panel SSL Link: https://server1.datahead.biz:2096

Admin Panel Directory: 
# cd /usr/local/cwpsrv/conf/
User Panel Directory:
# cd /usr/local/cwpsrv/conf/
For Admin Panel:
Now Open the cwpsrv.conf file , find the below code marked as red and comment(#) it .
Use the code that is marked as blue . Don't forget to replace the Server FQDN .
# vi /usr/local/cwpsrv/conf/cwpsrv.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
For Client Panel: 
# vi /usr/local/cwpsrv/conf.d/users.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
For Webmail Panel: 
# vi /usr/local/cwpsrv/conf.d/webmail.conf
        #ssl_session_timeout 90m;
        #ssl_certificate /etc/pki/tls/certs/hostname.bundle;
        #ssl_certificate_key /etc/pki/tls/private/hostname.key;
        #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers   on;


        ssl_certificate     /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/server1.datahead.biz/privkey.pem;

        #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        ssl_session_timeout 10m;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
Secure your api ( Do the same )
# vi user-api.conf 
# vi api.conf
Finally check the syntax and reload/restart the server
# /usr/local/cwpsrv/bin/cwpsrv -t
# systemctl restart cwp-phpfpm
# systemctl restart cwpsrv
Check your SSL Certificate: 
https://www.ssllabs.com/ssltest/index.html
Secure/Harden CWP Nginx Server
Labels:

Comments

Post a Comment

You are always welcome to comment here, but your remarks should be relevant to the conversation. To keep the exchanges focused and engaging, we reserve the right to remove off-topic comments, or self-promoting URLs and vacuous messages.

We will try to reply to your queries as soon as time allows.



Regards,
Admin