Here is a handy snippet for configuring a hardened SSL/TLS on Nginx. It receives a A+ rating when tested at Qualys.
A later post will discuss the configuration options in detail, what they do, and how SSL works.
Just a word of warning, this configuration enables HSTS by default. If enabled, it tells the browser that it (and its subdomains) must only operate in HTTPS mode.
Nginx configuration
server {
###------IPv4 Listen Address
listen <ipv4address>:443 http2 ssl;
###------IPv6 Listen Address
# listen <ipv6address>:443 http2 ssl ipv6only=on;
###------Host name
server_name <fqdn>;
###------Enable ssl
ssl on;
###------SSL certificate/key
ssl_certificate /etc/ssl/private/<fqdn>/<fqdn>.pem;
ssl_certificate_key /etc/ssl/private/<fqdn>/<fqdn>.key;
ssl_prefer_server_ciphers on;
###------SSL Perfect Forward Secrecy (DH)
ssl_dhparam /etc/ssl/dhparam.pem;
###------SSL OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/<fqdn>/ca.pem;
###------SSL Protocols
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
###------SSL Ciphers
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
###------SSL Session Cache
ssl_session_cache shared:TLS:2m;
###------Strict Transport Security (HSTS)
# Uncomment only if you never intend on using plain http
##### add_header Strict-Transport-Security "max-age=31536000;includeSubdomains;";
###------Not SSL/TLS related, but good practice
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# continue with settings not related to ssl...
}
Setting up the /etc/ssl folder
# you can only need one per server (not per vhost)
openssl dhparam -out /etc/ssl/dhparam.pem 2048
# Make a key and CSR for your domain
mkdir /etc/ssl/private/$fqdn && cd /etc/ssl/private/$fqdn
openssl genrsa -out /etc/ssl/private/$fqdn/$fqdn.key 2048
openssl req -new -sha256 -key /etc/ssl/private/$fqdn/$fqdn.key