[BlueOnyx:21840] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

Michael Stauber mstauber at blueonyx.it
Tue Mar 13 11:39:36 -05 2018 

Hi Dirk,

>> This doesn't work on EL7 or EL6. If this exact SSLCipherSuite is used,
>> Apache fails to restart:
> 
> No this is not correct. 
>
> I did replace the original SSLCipherSuite within a site<nr> with the SSLCipherSuite I posted and it is working with an A rating a no WEAK Ciphers

Yeah, I just tried that as well and it indeed works there, but not if we
use Apache2::ServerUtil() to dynamically create that config. Apache is
probably more forgiving if unsupported ciphers are statically loaded via
the Apache config files than it is when we try to shove the same config
in via Apache2::ServerUtil().

But the fact remains: That line contains unsupported ciphers. I'd rather
not deploy a "faulty" config. So I'll see if I can identify the ciphers
that aren't working and will see if I can get us something that works
without complaints.

> +1 for your nginx idea and not only as proxy for 443 also for 80.

You mean let us use Nginx as proxy for *both* port 80 and 443? That's an
interesting idea.

Just for the others who haven't been privy to our prior discussion about
this:

Both Dirk and I love Nginx, because it blows Apache out of the water in
many regards. It's lean, mean, easy to configure and pretty darn fast.
Nginx has a focus on serving webpages fast. Apache has the focus on
providing a heap of extra functionality that turn it into a Swiss army
knife that can do everything. But as a downside Apache does nothing
exceptionally well or fast.

However: As is we're using features and functions of Apache that Nginx
doesn't provide. Should we ever make an outright switch from Apache to
Nginx, we would loose functionality:

- No more .htaccess
- No PHP via DSO
- No PHO via DSO + mod_ruid2
- No more apache_bandwith limits for Vsites
- We might loose Tomcat support
- PHP only via PHP-FPM or suPHP
- With Nginx we get HTTP/2, which our Apache can't do yet.

So a straight up substitute of Nginx for Apache won't fly for us. But:
We can use Nginx as a proxy, eliminating most of these drawbacks while
gaining most of the benefits for a slight increase of complexity. If
that's worth it probably lies in the eyes of the beholder and is up to
discussion.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list