Tutorial: Secure HTTPS/SSL default install (NGINX only) Topic is solved

Section with modification and patches for Vesta
SS88
Posts: 298
Joined: Thu Nov 19, 2015 12:40 pm

Tutorial: Secure HTTPS/SSL default install (NGINX only)  Topic is solved

Postby SS88 » Thu May 12, 2016 10:43 pm

Hey guys, simply put my default SSL install using Let's Encrypt and NGINX was rated a B at Quality SSL Labs. My website is https://blog.ss88.uk and now using the tutorial below it's A+. I will be adding more later to secure Exim, Dovecot, Apache, etc, etc but for now I've only done NGINX.

I'm going to show you how, but it's explained a lot more here: https://blog.ss88.uk/secure-ssl-https-nginx-vestacp

First, you need to fix the Diffie-Hellman issue:

Code: Select all

openssl dhparam -out /etc/nginx/dhparams.pem 4096

This places a new file under the NGINX directory: /etc/nginx/dhparams.pem

Open up the file /etc/nginx/nginx.conf. Find the line # SSL PCI Compliance and replace it with the following:

Code: Select all

# SSL PCI Compliance
ssl_session_cache   shared:SSL:10m;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;


The default VestaCP install allowed IE6 (that really old browser no one uses anymore) SSL certificates to work. The new ssl_ciphers above make IE6 throw a security certificate error.

Run this command:

Code: Select all

service nginx configtest
to see if NGINX reports that the “syntax is ok”. If so, go ahead and restart NGINX using

Code: Select all

service nginx restart
.

If all goes well, pop over to Quality SSL Labs (https://www.ssllabs.com/ssltest/index.html) and test it again. This time you should get an A+.

jonkratz
Posts: 2
Joined: Mon Dec 28, 2015 3:41 pm

Re: Tutorial: Secure HTTPS/SSL default install (NGINX only)

Postby jonkratz » Fri May 13, 2016 2:08 pm

When clicking the link to your blog post, I received the following error:
"Safari can't verify the identity of the website "blog.ss88.uk"
Image

SS88
Posts: 298
Joined: Thu Nov 19, 2015 12:40 pm

Re: Tutorial: Secure HTTPS/SSL default install (NGINX only)

Postby SS88 » Fri May 13, 2016 2:29 pm

jonkratz wrote:When clicking the link to your blog post, I received the following error:
"Safari can't verify the identity of the website "blog.ss88.uk"
Image


Thanks for posting. Have you got anymore information?

I've just tested it on Firefox and Safari (Windows, so it's old) and it produces no errors at all. That's strange.

SS88
Posts: 298
Joined: Thu Nov 19, 2015 12:40 pm

Re: Tutorial: Secure HTTPS/SSL default install (NGINX only)

Postby SS88 » Fri May 13, 2016 2:41 pm

jonkratz wrote:When clicking the link to your blog post, I received the following error:
"Safari can't verify the identity of the website "blog.ss88.uk"
Image


Hey just to update - this was my bad. I am testing IPV6 / IPV4 configurations in NGINX.

soldx
Posts: 7
Joined: Tue Apr 11, 2017 9:55 am

Re: Tutorial: Secure HTTPS/SSL default install (NGINX only)

Postby soldx » Fri Apr 14, 2017 8:56 pm

Hi SS88!
Thanks for this awesome contribution. :)


Return to “Modification & Patches”



Who is online

Users browsing this forum: No registered users and 2 guests