Do SSL Right On Nginx

Do SSL Right On Nginx

For a while I thought "Hey, I set up my SSL the way the first Google result said. Chrome shows the green padlock. I must be good, right?"


Little did I know of all the best practices and security recomendations out there.

This guide from the community at Digital Ocean is a great place to start. In addition to providing an overview of how to setup a server block config for SSL, there's also a great guide to setting up a self signed certificate.

The Digital Ocean community guide alone, however, isn't everything that can be done to secure your server.

The configuration in my server block looks like this:

    ssl_certificate /etc/nginx/ssl/sample.crt;
    ssl_certificate_key /etc/nginx/ssl/sample.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # generate this file like so : openssl dhparam -out dhparams.pem 2048
    ssl_dhparam /etc/nginx/dhparams.pem;

    ssl_prefer_server_ciphers on;

You'll recognize the first two lines. On the third, we are specifying the protocols to use, and excluding the insecure SSLv3.

The remainder of the lines fix issues with weak Diffie-Hellman key exchange. When adding this configuration, you will also have to generate the new Diffie-Hellman group file. This guide provides a more detailed explanation of the configuration.

To verify that this your server is configured properly, Qualys SSL Labs server test is an amazing resource. It runs a scan of the provided hostname, and reports on a wide variety of issues and vulnerabilities in a report card grade format.

published on 2016-07-31
updated on 2016-07-31