Skip to content

Instantly share code, notes, and snippets.

@ashfame
Last active January 9, 2018 21:01
Show Gist options
  • Save ashfame/27a1fa457adb54ae55a2a3f57fde0239 to your computer and use it in GitHub Desktop.
Save ashfame/27a1fa457adb54ae55a2a3f57fde0239 to your computer and use it in GitHub Desktop.
HTTPS Cop recommended Nginx SSL config - https://httpscop.com
# To be safe, make a backup of your existing ssl config file, before making any changes in it
# Test your SSL config by "nginx -t". You might need to use "sudo nginx -t".
# Once config is validated to be good, reload nginx by "sudo service nginx reload".
# Following config file was tested on nginx/1.10.3
server {
listen 443 ssl;
server_name yoursite.com;
ssl_certificate /etc/letsencrypt/live/yoursite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yoursite.com/privkey.pem;
# Only use TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Define what ciphers server will support
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
# Generate your own DH params by running "openssl dhparam 2048 -out /etc/nginx/certs/dhparam.pem"
ssl_dhparam /etc/nginx/certs/dhparam.pem;
# Enable OCSP stapling
# This improves performance by letting nginx provide a OCSP record, instead of client requesting it from a 3rd party which adds latency and another failure point
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Enable HSTS
# Once you do this and access your site in the browser, it will only access your site on HTTPS moving forward, never on HTTP, for the defined max-age time in seconds
# Ideally you initially specify the value to be small and then increase it gradually to bigger intervals.
# Start with 5mins (specify 300), then test your site over HTTPS and if it all looks good, increase it to a day (specify 86400). If you still don't see any issue til the other day, increase it to 1 year (specify 31536000).
# There is also a "preload" parameter to specify along with "includeSubdomains" which you should only use once you actually understand its implications. For maximum security, you can use them once you are sure of serving your website on HTTPS forever.
add_header Strict-Transport-Security "max-age=31536000; always;";
# Use SSL session cache
# This improves performance as the session obtained after expensive handshake operation can be reused
# The estimate storage space is 4000 sessions / MB of cache, so with 10MB, you can approximately store 40000 sessions.
# You can tweak these as per the kind of traffic your website receives.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 30m;
# Keep session tickets off
# There is no support of proper rotation of session ticket key, so its better to turn them off, unless you know your stuff and want to enable it by handling the rotation of the key yourself
ssl_session_tickets off;
# Don't use compression with TLS
# Compression can make you vulnerable towards
# Instead use HTTP/2 + Brotli compression
gzip off;
#
# Add certain security headers
#
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";
# With Content Security Policy (CSP) enabled(and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# You should implement this on your own as right parameters are unique to every website depending on what external hosts they use to load content from
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment