Do SSL Right On Nginx
Do SSL Right On Nginx
For a while I thought "Hey, I set up my SSL the way the first Google result said. Chrome shows the green padlock. I must be good, right?"
Little did I know of all the best practices and security recomendations out there.
This guide from the community at Digital Ocean is a great place to start. In addition to providing an overview of how to setup a server block config for SSL, there's also a great guide to setting up a self signed certificate.
The Digital Ocean community guide alone, however, isn't everything that can be done to secure your server.
The configuration in my server block looks like this:
ssl_certificate /etc/nginx/ssl/sample.crt; ssl_certificate_key /etc/nginx/ssl/sample.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # generate this file like so : openssl dhparam -out dhparams.pem 2048 ssl_dhparam /etc/nginx/dhparams.pem; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
You'll recognize the first two lines. On the third, we are specifying the protocols to use, and excluding the insecure SSLv3.
The remainder of the lines fix issues with weak Diffie-Hellman key exchange. When adding this configuration, you will also have to generate the new Diffie-Hellman group file. This guide provides a more detailed explanation of the configuration.
To verify that this your server is configured properly, Qualys SSL Labs server test is an amazing resource. It runs a scan of the provided hostname, and reports on a wide variety of issues and vulnerabilities in a report card grade format.