Do SSL Right On Nginx

Do SSL Right On Nginx

For a while I thought "Hey, I set up my SSL the way the first Google result said. Chrome shows the green padlock. I must be good, right?"

Wrong.

Little did I know of all the best practices and security recomendations out there.

This guide from the community at Digital Ocean is a great place to start. In addition to providing an overview of how to setup a server block config for SSL, there's also a great guide to setting up a self signed certificate.

The Digital Ocean community guide alone, however, isn't everything that can be done to secure your server.

The configuration in my server block looks like this:

    ssl_certificate /etc/nginx/ssl/sample.crt;
    ssl_certificate_key /etc/nginx/ssl/sample.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # generate this file like so : openssl dhparam -out dhparams.pem 2048
    ssl_dhparam /etc/nginx/dhparams.pem;

    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

You'll recognize the first two lines. On the third, we are specifying the protocols to use, and excluding the insecure SSLv3.

The remainder of the lines fix issues with weak Diffie-Hellman key exchange. When adding this configuration, you will also have to generate the new Diffie-Hellman group file. This guide provides a more detailed explanation of the configuration.

To verify that this your server is configured properly, Qualys SSL Labs server test is an amazing resource. It runs a scan of the provided hostname, and reports on a wide variety of issues and vulnerabilities in a report card grade format.

published on 2016-07-31
updated on 2016-07-31