So I'm tinkering with IBM Container Registry (ICR) at present, and am testing the Vulnerability Advisor (VA) feature, by building/tagging/pushing a basic Nginx image.
Having configured my Nginx server for HTTPS ( HTTP over TLS ) - or so I thought - I was baffled that VA kept throwing up configuration errors: -
The scan results show that 5 ISSUES were found for the image.
Configuration Issues Found
==========================
Configuration Issue ID Policy Status Security Practice How to Resolve
application_configuration:nginx.ssl_certificate_key Active Specifies the private key file for server cert. ssl_certificate_key is not present in
/etc/nginx/nginx.conf or
/etc/nginx/sites-enabled/default.
application_configuration:nginx.ssl_ciphers Active Specifies ciphers used in TLS. ssl_ciphers is not present in
/etc/nginx/nginx.conf or
/etc/nginx/sites-enabled/default. Defaults may not
be secure.
application_configuration:nginx.server_tokens Active Enables or disables emitting nginx version in server_tokens is present but value is off. nginx
error messages and in the Server response header will sends its version in HTTP responses which can
field. be used by attackers for version-specific attacks
against this nginx server.
File: /etc/nginx/nginx.conf
application_configuration:nginx.ssl_protocols Active Enables the specified protocols. ssl_protocols is not present in
/etc/nginx/nginx.conf or
/etc/nginx/sites-enabled/default.
application_configuration:nginx.ssl_certificate Active Specifies a file with the certificate in the PEM ssl_certificate is not present in
format for the given virtual server. /etc/nginx/nginx.conf or
/etc/nginx/sites-enabled/default.
OK
Configuration Issues Found
==========================
Configuration Issue ID Policy Status Security Practice How to Resolve
application_configuration:nginx.ssl_certificate_key Active Specifies the private key file for server cert. ssl_certificate_key is not present in
/etc/nginx/nginx.conf or
/etc/nginx/sites-enabled/default.
application_configuration:nginx.ssl_ciphers Active Specifies ciphers used in TLS. ssl_ciphers is not present in
/etc/nginx/nginx.conf or
/etc/nginx/sites-enabled/default. Defaults may not
be secure.
application_configuration:nginx.server_tokens Active Enables or disables emitting nginx version in server_tokens is present but value is off. nginx
error messages and in the Server response header will sends its version in HTTP responses which can
field. be used by attackers for version-specific attacks
against this nginx server.
File: /etc/nginx/nginx.conf
application_configuration:nginx.ssl_protocols Active Enables the specified protocols. ssl_protocols is not present in
/etc/nginx/nginx.conf or
/etc/nginx/sites-enabled/default.
application_configuration:nginx.ssl_certificate Active Specifies a file with the certificate in the PEM ssl_certificate is not present in
format for the given virtual server. /etc/nginx/nginx.conf or
/etc/nginx/sites-enabled/default.
OK
even though I thought I'd configured Nginx to support the required configuration items e.g. server_tokens and ssl_protocols etc.
Well, I kinda had ....
I'd added these items: -
ssl_certificate /etc/nginx/nginx.crt;
ssl_certificate_key /etc/nginx/nginx.key;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
server_tokens on;
into nginx.conf BUT in the wrong place.
I had them in the http{} section rather than in the server{} section.
After some further digging, I realised that all but server_tokens should go in the server{} block, so we end up with this: -
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent""$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
server_tokens off;
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ;
server_name example.com www.example.com;
root /usr/share/nginx/html;
ssl_certificate /etc/nginx/nginx.crt;
ssl_certificate_key /etc/nginx/nginx.key;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
}
}
and, more importantly, this: -
The scan results show that NO ISSUES were found for the image.
OK
For further reading, there's a useful tutorial covering ICR and VA here: -