nginx-ssl.md

Configure nginx to use ssl

Generating certificates

# generate .crt and .key files
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

# generate strong Diffie-Hellman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Nginx config file

server {
  listen 443 http2 ssl;
  server_name domain.com;

  # Configure certificates
  ssl_certificate /certs/certificate.crt;
  ssl_certificate_key /certs/certificate.key;
  ssl_dhparam /certs/dhparam.pem;

  # cipherlist.eu configuration specification
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve secp384r1;
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";

  location / {
    root /usr/share/nginx/html;
    index index.html;
  }
}