We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Tutorial: Secure HTTPS/SSL default install (NGINX only)
Tutorial: Secure HTTPS/SSL default install (NGINX only)
Hey guys, simply put my default SSL install using Let's Encrypt and NGINX was rated a B at Quality SSL Labs. My website is https://blog.ss88.uk and now using the tutorial below it's A+. I will be adding more later to secure Exim, Dovecot, Apache, etc, etc but for now I've only done NGINX.
I'm going to show you how, but it's explained a lot more here: https://blog.ss88.uk/secure-ssl-https-nginx-vestacp
First, you need to fix the Diffie-Hellman issue:
This places a new file under the NGINX directory: /etc/nginx/dhparams.pem
Open up the file /etc/nginx/nginx.conf. Find the line # SSL PCI Compliance and replace it with the following:
The default VestaCP install allowed IE6 (that really old browser no one uses anymore) SSL certificates to work. The new ssl_ciphers above make IE6 throw a security certificate error.
Run this command: to see if NGINX reports that the “syntax is ok”. If so, go ahead and restart NGINX using .
If all goes well, pop over to Quality SSL Labs (https://www.ssllabs.com/ssltest/index.html) and test it again. This time you should get an A+.
I'm going to show you how, but it's explained a lot more here: https://blog.ss88.uk/secure-ssl-https-nginx-vestacp
First, you need to fix the Diffie-Hellman issue:
Code: Select all
openssl dhparam -out /etc/nginx/dhparams.pem 4096
Open up the file /etc/nginx/nginx.conf. Find the line # SSL PCI Compliance and replace it with the following:
Code: Select all
# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
Run this command:
Code: Select all
service nginx configtest
Code: Select all
service nginx restart
If all goes well, pop over to Quality SSL Labs (https://www.ssllabs.com/ssltest/index.html) and test it again. This time you should get an A+.
Re: Tutorial: Secure HTTPS/SSL default install (NGINX only)
Thanks for posting. Have you got anymore information?
I've just tested it on Firefox and Safari (Windows, so it's old) and it produces no errors at all. That's strange.
Re: Tutorial: Secure HTTPS/SSL default install (NGINX only)
Hi SS88!
Thanks for this awesome contribution. :)
Thanks for this awesome contribution. :)