Skip to content

Instantly share code, notes, and snippets.

@FluffyPancakes
Created June 24, 2016 21:09
Show Gist options
  • Save FluffyPancakes/36eff9f4d39cf60bafbe0d8257988934 to your computer and use it in GitHub Desktop.
Save FluffyPancakes/36eff9f4d39cf60bafbe0d8257988934 to your computer and use it in GitHub Desktop.
Configuration to get an A+ on the Qualys SSL Labs test with fast performing and low overhead SSL ciphers. Works in combination with nginx 1.6.0 full and OpenSSL v1.0.1i.
# I've used the configuration below for all my nginx instances and gotten an A+ on the Qualys SSL Test
# (https://www.ssllabs.com/ssltest/index.html). It satisfies requirements for PCI Compliance and
# FIPS. Includes OCSP Stapling (http://en.wikipedia.org/wiki/OCSP_stapling) and HTTP Strict Transport
# Security (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).
# - Not vulnerable to the Heartbleed attack.
# - Not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) with OpenSSL v1.0.1i 6 Aug 2014 & Nginx 1.6.0
# - SSL Handshake takes <80ms on most modern server hardware
# Use within the "server" scope among other directives
server{
## Tell Nginx to listen on port 443, use SSL and SPDY
listen 443 ssl spdy;
## Send header to tell the browser to prefer https to http traffic
add_header Strict-Transport-Security max-age=31536000;
## Use TLS instead of SSL - Compatibility issues with some Java clients
## and older versions of of IE, however, more secure.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
## Use more secure and less CPU tasking ciphers compared to nginx defaults
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;
## Specifies that server ciphers should be preferred over client ciphers
ssl_prefer_server_ciphers on;
## Enables all nginx worker processes share SSL session information
ssl_session_cache shared:SSL:30m;
## Increases the amount of time SSL session information in the cache is valid
ssl_session_timeout 30m;
## File containing chain of domain and intermediate certificates
ssl_certificate /path/to/ssl/domain-intermediate-cert.crt;
## File containing private key
ssl_certificate_key /path/to/ssl/private.key;
## Specifies a file with DH parameters for EDH ciphers
## Run "openssl dhparam -out /path/to/ssl/dhparam.pem 2048" in
## terminal to generate it
ssl_dhparam /path/to/ssl/dhparam.pem;
## Enables OCSP stapling
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;
## File containing root certificate from SSL issuer
ssl_trusted_certificate /path/to/ssl/root.crt;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment