Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
nginx ssl config with multiple SNI vhosts and A+ SSL Labs score as of 2014-11-05

Configuring nginx for SSL SNI vhosts

Gotchas

Remarks

  • My version of konklones SSL config does not have SPDY support(my nginx+openssl does not support it)
  • You need a default ssl server (example.org-default.conf).
  • Some SSL-options have to be unique across your instance, so it's easier to have them in a common file(ssl.conf).
  • For updated ssl_ciphers, I refer you to these two sources
server {
listen 443 ssl;
server_name example.com;
# required: path to certificate and private key
ssl_certificate /opt/keys/example.com/example.com.unified.crt;
ssl_certificate_key /opt/keys/example.com/example.com.decrypted.key;
# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
ssl_trusted_certificate /opt/keys/example.com/example.com.unified+root.crt;
# Include global SSL settings
include /etc/nginx/ssl.conf;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
proxy_pass http://upstream;
}
}
server {
listen 443 ssl default_server;
server_name example.org;
# required: path to certificate and private key
ssl_certificate /opt/keys/example.org/example.org.unified.crt;
ssl_certificate_key /opt/keys/example.org/example.org.decrypted.key;
# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
ssl_trusted_certificate /opt/keys/example.org/example.org.unified+root.crt;
# Include global SSL settings
include /etc/nginx/ssl.conf;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
proxy_pass http://upstream;
}
}
# Basically the nginx configuration I use at konklone.com.
# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
#
# To provide feedback, please tweet at @konklone or email eric@konklone.com.
# Comments on gists don't notify the author.
#
# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
# HTTP Strict Transport Security: tells browsers to require https:// without first checking
# the http:// version for a redirect. Warning: it is difficult to change your mind.
#
# max-age: length of requirement in seconds (31536000 = 1 year)
# includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want)
# preload: indicates you want browsers to ship with HSTS preloaded for your domain.
#
# Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
# If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
add_header Strict-Transport-Security 'max-age=31536000';
# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
#
# Forces forward secrecy in all browsers and clients that can use TLS,
# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
#
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
# Now let's really get fancy, and pre-generate a 2048 bit random parameter
# for DH elliptic curves. If not created and specified, default is only 1024 bits.
#
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out dhparam2048.pem 2048
ssl_dhparam /path/to/dhparam2048.pem;
# Cut out the old, broken, insecure SSLv2 and SSLv3 entirely.
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
# optional: turn on session resumption, using a 10 min cache shared across nginx processes
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
# Buffer size of 1400 bytes fits in one MTU.
# nginx 1.5.9+ ONLY
ssl_buffer_size 1400;
# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
# and send them to clients so clients don't make their own OCSP calls.
# https://en.wikipedia.org/wiki/OCSP_stapling
#
# while the ssl_certificate above may omit the root cert if the CA is trusted,
# ssl_trusted_certificate below must point to a chain of **all** certs
# in the trust path - (your cert, intermediary certs, root cert)
#
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
# nginx will use them to talk to the CA.
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.