KostyaEsmukov/_ nginx_ssl_A+.md

## _ nginx_ssl_A+.md

      
    Raw
  

              _ nginx_ssl_A+.md
            
          
    Nginx A+ score on Qualys SSL Labs

Test your current score here: https://www.ssllabs.com/ssltest/
Certificate

You must have a certificate issued by a trusted certification authority.
These authorities issue certificates for free and I tested them by myself:

Let's Encrypt I strongly encourage you to go with them, unless you need a higher-grade certificate;
Wosign - their certificates are no longer trusted by browsers.

Key generation commands

export HOST=domain.com

openssl genrsa -out "$HOST-key.pem" 2048
openssl req -new -key "$HOST-key.pem" -out "$HOST.csr"

openssl req -text -noout -verify -in "$HOST.csr"  # see what's inside the Certificate Signing Request

cat "$HOST.csr"  # pass the contents of this file to your certification authority

Nginx configuration

See attached files
HSTS preload list

You may also want to submit your domain to be included in the HSTS preload list.
See https://hstspreload.appspot.com

  
## domain.com.conf
server {
    # listen 80;
    # listen [::]:80;
    # listen 443 ssl http2;
    # listen [::]:443 ssl http2;

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name domain.com;

    include hsts.conf;

    ssl_trusted_certificate  ssl/domain.com-chain.pem;
    ssl_certificate          ssl/domain.com-fullchain.pem;
    ssl_certificate_key      ssl/domain.com-key.pem;

    # ... the rest of your config
}

## hsts.conf
add_header Strict-Transport-Security 'max-age=31536000';

# Use this one if you want to apply to the HSTS preload list. https://hstspreload.appspot.com/
# add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

## nginx.conf

http {
    # ... the rest of your config

    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;

    # TLS session reuse
    ssl_session_tickets off;
    ssl_session_cache         shared:SSL:50m;
    ssl_session_timeout       10m;

    # OCSP stapling
    ssl_stapling              on;
    ssl_stapling_verify       on;
    # Don't forget to set `ssl_trusted_certificate` to the chain of your cert in the `server` block.
    resolver                  8.8.8.8 8.8.4.4;  # replace with `127.0.0.1` if you have a local dns server

    ssl_prefer_server_ciphers on;

    ssl_dhparam               ssl/dhparam.pem;  # openssl dhparam -out ssl/dhparam.pem 4096

    # ... the rest of your config
}
	server {
	# listen 80;
	# listen [::]:80;
	# listen 443 ssl http2;
	# listen [::]:443 ssl http2;

	listen 443 ssl;
	listen [::]:443 ssl;

	server_name domain.com;

	include hsts.conf;

	ssl_trusted_certificate ssl/domain.com-chain.pem;
	ssl_certificate ssl/domain.com-fullchain.pem;
	ssl_certificate_key ssl/domain.com-key.pem;

	# ... the rest of your config
	}
	add_header Strict-Transport-Security 'max-age=31536000';

	# Use this one if you want to apply to the HSTS preload list. https://hstspreload.appspot.com/
	# add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

	http {
	# ... the rest of your config

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# TLS session reuse
	ssl_session_tickets off;
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 10m;

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	# Don't forget to set `ssl_trusted_certificate` to the chain of your cert in the `server` block.
	resolver 8.8.8.8 8.8.4.4; # replace with `127.0.0.1` if you have a local dns server

	ssl_prefer_server_ciphers on;

	ssl_dhparam ssl/dhparam.pem; # openssl dhparam -out ssl/dhparam.pem 4096

	# ... the rest of your config
	}