- Setup your .NET application with gRPC-Web & CORS enabled.
- Setup SSL for your domain.
Add http2 after ssl in your server block config:
listen [::]:442 ssl http2 ipv6only=on;
listen 443 ssl http2;
Next is to use grpc_pass rather than other proxy passing in your server block:
location \ {
grpc_pass grpc://localhost:3000; #Or upstream server name if you use upstream e.g grpc://service_api
}
HTTP/2 has a blacklist of old and insecure ciphers, so we must avoid them. Cipher suites are cryptographic algorithms that describe how the transferred data should be encrypted.
The method you’ll use to define the ciphers depends on how you’ve configured your TLS/SSL certificates for Nginx.
If you used Certbot to obtain your certificates, it also created the file /etc/letsencrypt/options-ssl-nginx.conf which contains ciphers which aren’t strong enough for HTTP/2. Modifying this file will unfortunately prevent Certbot from applying updates in the future, so we’ll just tell Nginx not to use this file and we’ll specify our own list of ciphers.
In your server block configuration, locate the line that includes the options-ssl-nginx.conf file and comment it out:
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot<^>
Below that line, add this line to define the allowed ciphers:
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
That's it, just reload the nginx service and you're done!
If you used self-signed certificates or used a certificate from a third party, open the file /etc/nginx/snippets/ssl-params.conf and locate this line:
...
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
...
Modify it to:
...
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
Reload the nginx service, and you're done!
To ensure your url is using HTTP/2, curl it with this command:
curl -I -L https://your-domain.com
You will see:
HTTP/2 405
server: nginx/1.14.0 (Ubuntu)
date: Thu, 30 Jul 2020 10:45:56 GMT
content-length: 0
allow: GET
strict-transport-security: max-age=15768000;
If you see HTTP/2 then you are finally DONE!
Even though your HTTP requests redirect to HTTPS, you can enable HTTP Strict Transport Security (HSTS) to avoid having to do those redirects. If the browser finds an HSTS header, it will not try to connect to the server via regular HTTP again for a given time period. No matter what, it will exchange data using only encrypted HTTPS connection. This header also protects us from protocol downgrade attacks.
Open the Nginx configuration file:
sudo nano /etc/nginx/nginx.conf
Add this line to the file to enable HSTS:
http {
...
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
add_header Strict-Transport-Security "max-age=15768000" always;
}
...
By default, this header is not added to subdomain requests. If you have subdomains and want HSTS to apply to all of them, you should add the includeSubDomains variable at the end of the line, like this:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
Once again, reload nginx service.
That's it. You can finally taste the full security feature of .NET gRPC Web without Envoy (Optional).