Tutorial: Secure HTTPS/SSL default install (NGINX only)
Posted: Thu May 12, 2016 10:43 pm
Hey guys, simply put my default SSL install using Let's Encrypt and NGINX was rated a B at Quality SSL Labs. My website is https://blog.ss88.uk and now using the tutorial below it's A+. I will be adding more later to secure Exim, Dovecot, Apache, etc, etc but for now I've only done NGINX.
I'm going to show you how, but it's explained a lot more here: https://blog.ss88.uk/secure-ssl-https-nginx-vestacp
First, you need to fix the Diffie-Hellman issue:
This places a new file under the NGINX directory: /etc/nginx/dhparams.pem
Open up the file /etc/nginx/nginx.conf. Find the line # SSL PCI Compliance and replace it with the following:
The default VestaCP install allowed IE6 (that really old browser no one uses anymore) SSL certificates to work. The new ssl_ciphers above make IE6 throw a security certificate error.
Run this command: to see if NGINX reports that the “syntax is ok”. If so, go ahead and restart NGINX using .
If all goes well, pop over to Quality SSL Labs (https://www.ssllabs.com/ssltest/index.html) and test it again. This time you should get an A+.
I'm going to show you how, but it's explained a lot more here: https://blog.ss88.uk/secure-ssl-https-nginx-vestacp
First, you need to fix the Diffie-Hellman issue:
Code: Select all
openssl dhparam -out /etc/nginx/dhparams.pem 4096
Open up the file /etc/nginx/nginx.conf. Find the line # SSL PCI Compliance and replace it with the following:
Code: Select all
# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
Run this command:
Code: Select all
service nginx configtest
Code: Select all
service nginx restart
If all goes well, pop over to Quality SSL Labs (https://www.ssllabs.com/ssltest/index.html) and test it again. This time you should get an A+.