/ tls

Secure SSL configuration for Nginx

Here is a handy snippet for configuring a hardened SSL/TLS on Nginx. It receives a A+ rating when tested at Qualys.

A later post will discuss the configuration options in detail, what they do, and how SSL works.

Just a word of warning, this configuration enables HSTS by default. If enabled, it tells the browser that it (and its subdomains) must only operate in HTTPS mode.

Nginx configuration

  server {
          ###------IPv4 Listen Address
            listen <ipv4address>:443 http2 ssl;  
            
          ###------IPv6 Listen Address
          #  listen <ipv6address>:443 http2 ssl ipv6only=on;
            
          ###------Host name
            server_name <fqdn>;
 
          ###------Enable ssl
            ssl on;
            
          ###------SSL certificate/key 
            ssl_certificate /etc/ssl/private/<fqdn>/<fqdn>.pem;
            ssl_certificate_key /etc/ssl/private/<fqdn>/<fqdn>.key;
            ssl_prefer_server_ciphers on;  

          ###------SSL Perfect Forward Secrecy (DH)
            ssl_dhparam /etc/ssl/dhparam.pem;  

          ###------SSL OCSP stapling 
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /etc/ssl/private/<fqdn>/ca.pem;
            
          ###------SSL Protocols
            ssl_protocols TLSv1.2 TLSv1.1 TLSv1;  

          ###------SSL Ciphers
            ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

          ###------SSL Session Cache
            ssl_session_cache shared:TLS:2m; 

          ###------Strict Transport Security (HSTS)
          # Uncomment only if you never intend on using plain http
          ##### add_header Strict-Transport-Security "max-age=31536000;includeSubdomains;";

          ###------Not SSL/TLS related, but good practice
          #  add_header X-Frame-Options SAMEORIGIN;
          #  add_header X-Content-Type-Options nosniff;
          #  add_header X-XSS-Protection "1; mode=block";    

          # continue with settings not related to ssl...
 }

Setting up the /etc/ssl folder

# you can only need one per server (not per vhost)
openssl dhparam -out /etc/ssl/dhparam.pem 2048

# Make a key and CSR for your domain
mkdir /etc/ssl/private/$fqdn && cd /etc/ssl/private/$fqdn
openssl genrsa -out /etc/ssl/private/$fqdn/$fqdn.key 2048
openssl req -new -sha256 -key /etc/ssl/private/$fqdn/$fqdn.key