Getting reports from our security team that our NABox system is reporting weak ciphers on both 80/443
Golang Server, port 80
nginx, port 443
Accepted insecure ciphers: ECDHE-RSA-AES128-SHA256

have not worked a whole lot with containers and not really sure where these would need to be changed.
Typically on our linux systems it would just be making changes to the apache/etc config file for what ciphers/keys it allows.

Anyway to make changes to get these cleared up?

thanks for raising @meager temple @obsidian trail will take a look. I know traefik is fronting the ports on nabox but your cipher scan probably hits the final destination

from /usr/local/nabox/files/traefik the accepted ciphers should be :

        - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
        - "TLS_AES_128_GCM_SHA256"
        - "TLS_AES_256_GCM_SHA384"
        - "TLS_CHACHA20_POLY1305_SHA256"
        - "TLS_FALLBACK_SCSV"

You're saying TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 should be removed ? I need to double check what is the constant for ECDHE-RSA-AES128-SHA256

That's the one indeed, Looks like I should remove it

https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/

thanks. Editing that file should fix both port80/443, although our scanner shows GoLang on port 80 and nginx on 443

nessus, is what we use for scanning

It makes sense that multiple http servers are detected, like golang or nginx, but the SSL termination is only done by traefik with that config file

depending on the path (/prometheus, /graphite, / you will get different http server metadata)

ok, i'll go edit the file and have them rescan.
off topic, but is there a reason you can't do updates/upgrades with apk?
like when I run apk upgrade it just comes back with OK: xxxMiB in xxx packages

Doing manual upgrades might break future updates of nabox, that's a bit dangerous, but if you have internet access I think it should work

don't forget to restart traefik dc restart traefik

aye, it's restarting now, i'll have them rescan and let you know what they say.
thanks for the quick turn around, as always

hrm. removed that line from the yaml file, restarted and it still comes back with
ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256'} are supported, but should be rejected.

options:
default:
cipherSuites:
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_AES_128_GCM_SHA256"
- "TLS_AES_256_GCM_SHA384"
- "TLS_CHACHA20_POLY1305_SHA256"
- "TLS_FALLBACK_SCSV"
pnapdstrutl04:/usr/local/nabox/files/traefik# dc restart traefik
[+] Running 1/1
✔ Container 1a8386e67e14_traefik Started

Please double check settings with : dc exec traefik cat /dynamic/ssl.yaml

cat: can't open '/dynamic/ssl.yaml': No such file or directory

Probably an old 3.4.1b then ? What does `/usr/local/nabox/docker-compose/docker-compose.yaml says about traefik service ?

sorry for the delay

traefik:
image: traefik:v2.6
container_name: traefik
hostname: traefik
entrypoint: /nabox-traefik-entrypoint.sh
command:

- "--log.level=DEBUG" # Development only

  - "--api.insecure=true"
  - "--providers.docker=true"
  - "--providers.docker.exposedbydefault=false"
  - "--providers.file.directory=/ssl/"
  - "--providers.file.watch=true"
  - "--entrypoints.web.address=:80"
  - "--entrypoints.web.http.redirections.entrypoint.to=webssl"
  - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
  - "--entrypoints.webssl.address=:443"
  - "--entrypoints.graphite.address=:2003"
volumes:
  - "/var/run/docker.sock:/var/run/docker.sock:ro"
  - "${NABOX_OPT}/ssl:/ssl"
  - "./nabox-traefik-entrypoint.sh:/nabox-traefik-entrypoint.sh"
ports:
  - "443:443"
  - "80:80"
  - "2003:2003"
labels:
  - nabox.core=true
restart: always

is there a link/list of available images for download, make sure i have the current one. pretty sure i have the original beta version

Images are not available for download and only distributed with the VA. I’m confused as of how the traefik ssl config is distributed in your version. You should have the ciphers described in /opt/ssl/ssl.yaml but it doesn’t look like that file is available in the container. What does /opt/ssl contain ?

/opt/ssl# ls
nabox.crt nabox.key traefik.yaml

and i was referring to the virtual appliance download. the only options i know of are on the nabox/download page.
but i dont see a beta version or 3.5 or such

ok so I guess in your version the config is indeed in traefik.yaml, but why it doesn't seem to be applied is a mystery

mmm, wait, what's in traefik.yaml ?

i just edited that file and removed the entry, restarted the container. about to do another scan

So it was in there, ok cool

and now it's gone.
that was it.
thanks.

now i just need to figure out what version i'm running vs what is current and should be running

The way I do beta makes it difficult to track, it's basically overwritten with each build

NAbox 3.4.1b (2023-11-25) - Alpine Linux 3.18.4