Tutorial: Secure HTTPS/SSL default install (NGINX only)

[SS88]

Hey guys, simply put my default SSL install using Let's Encrypt and NGINX was rated a B at Quality SSL Labs. My website is https://blog.ss88.uk and now using the tutorial below it's A+. I will be adding more later to secure Exim, Dovecot, Apache, etc, etc but for now I've only done NGINX.

I'm going to show you how, but it's explained a lot more here: https://blog.ss88.uk/secure-ssl-https-nginx-vestacp

First, you need to fix the Diffie-Hellman issue:

Code: Select all

openssl dhparam -out /etc/nginx/dhparams.pem 4096

This places a new file under the NGINX directory: /etc/nginx/dhparams.pem

Open up the file /etc/nginx/nginx.conf. Find the line # SSL PCI Compliance and replace it with the following:

Code: Select all

# SSL PCI Compliance
ssl_session_cache   shared:SSL:10m;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

The default VestaCP install allowed IE6 (that really old browser no one uses anymore) SSL certificates to work. The new ssl_ciphers above make IE6 throw a security certificate error.

Run this command:

Code: Select all

service nginx configtest

to see if NGINX reports that the “syntax is ok”. If so, go ahead and restart NGINX using

Code: Select all

service nginx restart

.

If all goes well, pop over to Quality SSL Labs (https://www.ssllabs.com/ssltest/index.html) and test it again. This time you should get an A+.

[jonkratz]

When clicking the link to your blog post, I received the following error:
"Safari can't verify the identity of the website "blog.ss88.uk"

[SS88]

When clicking the link to your blog post, I received the following error:
"Safari can't verify the identity of the website "blog.ss88.uk"

Thanks for posting. Have you got anymore information?

I've just tested it on Firefox and Safari (Windows, so it's old) and it produces no errors at all. That's strange.

[SS88]

When clicking the link to your blog post, I received the following error:
"Safari can't verify the identity of the website "blog.ss88.uk"

Hey just to update - this was my bad. I am testing IPV6 / IPV4 configurations in NGINX.

[soldx]

Hi SS88!
Thanks for this awesome contribution. :)