Amazon.ca Widgets

Category: ssl

Useful url rewrite rules for IIS

These are some rules I use in IIS to make all my web sites works as expected.

What I need to automate in all site:

  • Remove prefix “www.”
  • Redirect “http” to “https”, as http will soon disappear, thanks to LetsEncrypt.

Also, for very simple static sites, I want to make all pages respond to the same fixed static page, and get no 404.

You can do that without any code, when using the IIS Rewrite extension.  You first need to install the extension to your existing IIS configuration. (link)

This is an example of my IIS configuration:

  • Site 1: “https://foxontherock.com”
  • Site 2: “https://fredericmalenfant.com”
  • Site 3: default (ip binding)

Bindings strategy

The first strategy can be to add these rules to all your sites, one by one.
Exemple for site 1, these are the 4 bindings configuration:

  • http://foxontherock.com
  • http://www.foxontherock.com
  • https://foxontherock.com
  • https://www.foxontherock.com

If you set your IIS bindings like that, you need to add the rewrite rules to all your sites, one by one.

But there’s another simple strategy that I prefer, by using a “default” site on IIS.
On the first and second sites, I only set the “final” binding, e.g. foxontherock.com and fredericmalenfant.com, both on port 443 without www.

On the “default” site, I configure the bindings to respond to all other requests on my public IP address.

That way, I only need to add the redirect rules on the default site, as the redirection will be handled by the redirected site after.

IIS Rewrite Rules

First rule: Remove www prefix.

<rule name="Remove www" stopProcessing="true">
 <match url="(.*)" ignoreCase="true" />
 <conditions logicalGrouping="MatchAll">
  <add input="{HTTP_HOST}" pattern="^www\.(.+)$" />
 </conditions>
 <action type="Redirect" url="https://{C:1}/{R:0}" redirectType="Permanent" />
</rule>

Second rule: redirect http to https

<rule name="Redirect to https" stopProcessing="true">
 <match url="(.*)" />
 <conditions>
  <add input="{HTTPS}" pattern="off" ignoreCase="true" />
 </conditions>
 <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
</rule>

The third rule can be set to all sites, and is used to get a fixed page always responding, without 404.

<rule name="Default page" stopProcessing="true">
 <match url=".*" />
 <conditions>
  <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
  <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
 </conditions>
 <action type="Rewrite" url="index.html" />
</rule>

Finally, you can add the “canonical” meta on that page to make robots index only 1 page, not all possible url.

(index.html)
<head>
...
<link rel="canonical" href="https://foxontherock.com/" />
</head>

Disable ssl3 for more security

SSL3 is over.  Some servers keep it active because they need to serve pages to IE6/XP users.  But, these days are over, as most of the updated to, at least IE8, and they have all the last updates allowing to connect using TLS 1.1 or 1.2.

SSL3 can also be enabled by default on older Windows Servers, like 2008 R2, even if you installed all Windows Updates.

Now, it’s time to disable SSL3 completely.

If your SSL3 is active, you may get one of these warnings from Qualys SSL Test:

  • This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
  • This server uses SSL 3, which is obsolete and insecure. Grade capped to B.

It’s easy to disable it from a Windows registry, as described here.

Solution

Create a file, called DisableSSL3.reg, and copy that content on it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

Save it, double-click on it, and accept.

Finally, reboot, and all SSL3 server services are disabled on your Windows server.

How to get “A” Rating on Qualys SSL Labs Test

That blog is hosted on an Amazon EC2 Instance, running Windows 2012 R2 Server.  And our SSL certificated is provided by Let’s Encrypt.

Starting from that default configuration, we ran the SSL test, and we got a B note.  We wanted to get the “A” Rating, and these are the 2 major warning we had to solve.

  • “This server supports weak Diffie-Hellman (DH) key exchange parameters”
  • “This server accepts RC4 cipher, but only with older protocols”

Solution

We were able to fix these issues with some simple registry tweaks that we describe in these articles

Then, after we ran these steps, we now have our A Grade!

Now, if you want an even better grade, you can continue to solve these little warnings that the SSLLabs test can give you.

How to solve RC4 warning on Qualys SSLLabs Test

In a previous article, I talked about how you can solve the Diffie-Hellman warning on Qualys SSLLabs test, by applying a registry configuration.

Now, we’ll talk about another common warning that most AWS EC2 customer can get.  By default, we got that security issue from SSLLabs:

This server accepts RC4 cipher, but only with older protocols. Grade capped to B.

Solution

Microsoft proposes a solution for disabling the 3 weak RC4 cipher suites in that article.
You need to create 1 new registry entry.  Create an empty text file called rc4fix.reg, and paste that content to it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

Then, double-click on it to apply these settings, an reboot.

Finally, run your SSL test again, that warning disappeared.

How to solve Diffie-Hellman warning on Qualys SSLLabs Test

In a previous article, I talked about how you can get a better note on Qualys SSLLabs test, by configuring CAA DNS entry.

Today, we’ll talk about another warning most of us must resolve to get the “A” Rating.

On our AWS EC2 Windows 2012 R2 server, by default, we got that security issue from SSLLabs:

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

Solution

That is caused by the Diffie-Hellman protocol accepted at 1024 bits.  The fix proposed by Microsoft (article) is to still accept that protocole, but only at 2048+ bits.

You need to create 1 new registry entry.  Create an empty file called df.reg, and paste that content to it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

Then, double-click on it to apply these settings, an reboot.

Run your SSL test again, that warning disappeared.

How to fix DNS CAA issue on SSL Labs Test

You ran the SSL Labs Analyzer on your domain name, and you got a DNS CAA Issue.  You want to solve it, because your goal is to get the A+ Rating from Qualys.

How to fix that?

You need to add a CAA Entry in your DNS.

What is a CAA DNS entry?

That entry tells which certificate authority delivered your SSL certificate.  If someone hack your ssl certificates with certs not in your liste of “known” providers, it will be an indication that your site may have been modified by someone else.

The blog you currently read is hosted on AWS EC2 infrastructure.  The DNS is sold and managed by AWS Route 53 services, and we got our SSL certificates free from Letsencrypt.

So, I’ll explain you how enable your CAA DNS setting based on these prerequisites.  The procedure is the same for any other SSL seller and DNS service.

Step-by-step configuration

  • In your Route 53 console:
    • select your domain name
    • Click “Create Record Set”
      • Leave name empty
      • Choose type: CAA
      • Enter value, in my case it was:
        [0 issue “letsencrypt.org”] (without brackets)

In addition, you can use that generator: https://sslmate.com/caa/ to obtain your value.
From that generator, just enter your domain name.
Next, click “Auto Generate Policy”.
The tool will look at your current SSL certificate.  Then, it will give you the desired value you should type in your CAA DNS entry.

Finally, wait a little for DNS propagation, and run the test again, and you will get a nice green status on your CAA test!

You can also test your CAA with that tool:
https://caatest.co.uk/

letsencrypt simple all sites

After using letsencrypt-win-simple (now win-acme) for my iis sites, I had some troubles, and I provide you the solutions I applied to fix them.

First, I had a lot of sites / domain names to register, and it was long to do that from the interactive app.  So I tried to do that from command prompt.  The documentation is not clear on how to do that, so I did several try-mistake.

And, finally, that’s what I found:

the first time you will add the “plugin” mode, you will get that error:
unable to find validation plugin
Because the “recommended” validation method from the ui is not the same in the command prompt, and you need to provide it, using the argument:
–validation selfhosting

These are 3 command line methods I tried.
The first allow you to get 1 single certificate for all your sites.  But, warning, if you request certificates info for any domain name registered, you will always see the first one registered.  So, I did not use that method.  But, you can try it.

letsencrypt.exe --plugin iissites --validation selfhosting --siteid 1,2,3,4,...

Warning, do not include sites id that are invalid or inexisting.

The second method allow you to create 1 certificate per site ID (that is not a domain name, you can have multiples domain name binding on 1 single site).

letsencrypt.exe --plugin iissite --validation selfhosting --siteid 1

And now, my preferred one, that I put on a batch file with all my existing sites:

letsencrypt.exe --plugin iisbinding --validation selfhosting --manualhost yoursite1.com
letsencrypt.exe --plugin iisbinding --validation selfhosting --manualhost www.yoursite1.com 
letsencrypt.exe --plugin iisbinding --validation selfhosting --manualhost yoursite2.com
letsencrypt.exe --plugin iisbinding --validation selfhosting --manualhost www.yoursite2.com 
...

You execute that only once.

After, you can run the renewal process once per month, or every day as you wish, but the renewal process will only renew certificates that were generated more than 55 days ago.

letsencrypt.exe --renew

If you experience some issues when updating, with locked certificates files, I suggest to run “iisreset” before renewing, as it always helps me to clear all these renewal errors.

How to setup Free SSL / HTTPS in EC2 IIS

More and more, all sites are running over HTTPS / SSL.  I personnally think that, in the near future, port 80 / http will die, and all pages will be served in SSL.

One reason for that, is the work done by the “Let’s Encrypt” team.
Look at their sponsors, it’s all the major names of the industry.  And, beginning January 2018, they will also offer free “wildcard” certificates!

So, i’ll explain you how to configure that ssl certificate on your Windows EC2 server running IIS.

The LetEncrypt protocole can be a little difficult to setup.  But, one person did a tool that make ssl certification very easy.

That tool is called “letsencrypt-win-simple“, (now win-acme)hosted on github.

First, you need to configure your site in IIS in standard http.  (look at others chapters to configure IIS and get a fixed IP).

Then, download letsencrypt-win-simple, open a command prompt in administrator mode.  Start the executable, and it will list all your sites in IIS.  Choose the site you want to secure.  The tool will create a file in your site root folder, some communications will be done between your server and the letsencrypt api.  Your site needs to be reachable from its public IP and domain name.

Then, that’s all, the certificate is added to IIS, and the binding is also linked to your site.

These free certificates are valid for 2 months, but the letsencrypt-win-simple app auto-add itself to your “windows task manager”, and it’s running every day to automatically renew all your expired certificates.  So, you don’t need to re-run that procedure, everything is automated and works very fine.

I suggest run that on an empty site (with a simple empty default.aspx / index.htm page), before installing WordPress, because you want to configure your wordpress in https.  It can be hard to move from http to https in wordpress after the initial setup, if you have some content that includes your absolute url with “http://” hard-coded url.