Below is how to configure Nginx for optimal SSL settings. These settings are directly from Mozilla’s recommend best practice page and were current as of the date of this post. Please refer to that site for the most current settings.
This post assumes that you already have a and you are working with the domain example.com
.
- Generate your certificate request (CSR)
sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/example.com.key -out /etc/nginx/ssl/example.com.csr
- Get a cert with the CSR above. I use SSLs.com for my certs since they’re cheap, fast and they do the job. Some people think that you need to get a cert from a big name place like DigiCert or Thawte but in reality, consumers don’t care (let alone understand) so I don’t see a reason to pay extra. There’s a push to get EV (green bar) certs which I understand but still, most people just don’t seem to care.
- Assuming you went with the above you’ll get an email with your cert files. However, I usually just log back into my account, navigate to my cert and re-download the certificate which should have a zip file with two files,
example.com.crt
andbundle.crt
. Both files are just text files so either copy or create and write both of them to/etc/nginx/ssl/
- Create this file, I’m not going to bother explaining it because I don’t fully understand it either:
sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
- Edit your site’s previously created configuration file:
sudo vi /etc/nginx/sites-available/example.com.conf
# Optional, redirect non-secure connections to the secure site server { listen 80; return 301 https://$host$request_uri; } server { listen 443; #Your path here root /var/www/html; #Your domain here server_name example.com; ssl on; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/bundle.crt; resolver 8.8.8.8; #Your other rules here }
- Test your configuration:
sudo nginx -t
- Reboot Nginx:
sudo service nginx restart
These settings should give you (as of this posting date) an A grade but not 100% across the board at Qualys SSL Labs. To do that you need to fix some other edge cases but even Qualys SSL Labs doesn’t seem to want to fix so I’m not too concerned.
Once again, and I can’t stress this enough, DO NOT JUST COPY THE ABOVE but actually go out to Mozilla’s or someone else’s site to get a list of currently recommend cipher suites and protocols, especially as this post gets older and older.