Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating

nginx-tls.conf

#
# Name: nginx-tls.conf
# Auth: Gavin Lloyd <gavinhungry@gmail.com>
# Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
#
# Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related
# to SSL/TLS are omitted here.
#
# Example: https://www.ssllabs.com/ssltest/analyze.html?d=gavinhungry.io
#

server {
  listen [::]:80;
  listen      80;
  server_name domain.tld www.domain.tld;

  # Redirect all non-https requests
  rewrite ^ https://$host$request_uri? permanent;
}

server {
  listen [::]:443 default_server ssl http2;
  listen      443 default_server ssl http2;

  server_name domain.tld www.domain.tld;

  # Certificate(s) and private key
  ssl_certificate /etc/ssl/domain.crt;
  ssl_certificate_key /etc/ssl/domain.key;

  # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
  ssl_dhparam /etc/ssl/ffdhe4096.pem;

  # Or, generate random dhparam
  # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
  # ssl_dhparam /etc/ssl/dhparam.pem;

  ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
  ssl_prefer_server_ciphers on;
  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

  ssl_session_cache shared:TLS:2m;
  ssl_buffer_size 4k;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare

  # Set HSTS to 365 days
  add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
}

Sweet example! Thanks a bunch :D!

Works great with few modifications...

The spdy option has been superseded with http2

Also I would recommend expanding your resolver line: resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ... if you want A+ on a subdomain ... also, if using Let's encrypt and you want a score of 100 on key exchange then you must generate them with the flag --rsa-key-size 4096 and the usual openssl dhparam -out dhparam.pem 4096

another missing entry ... ssl_ecdh_curve secp384r1; ... required in addition to above for score of 100 on key exchange

Based on this config, 5 others and some extensive testing, I have put together a config that describes exactly how each NGINX directive will effect your SSL Labs score - see http://stackoverflow.com/questions/41930060/how-do-you-score-a-with-100-on-all-categories-on-ssl-labs-test-with-lets-encry - thanks for helping me put it together

watch out for the resolver 8.8.8.8 if you don't have access to good randomness

You can use dnsmasq for even faster and more secure lookups for the resolver entry, and then use my include= example
for TLS/SSL with nginx: https://gist.github.com/jult/395ad9fd3e9773a54a67aaf689beab27

I'd rather go for the 2048 long ssl_dhparam on my RaspberryPi like recommended here: https://gist.github.com/plentz/6737338#file-nginx-conf-L57 It just takes too damn long. 😂

worked for me without OSCP stalping,
Thanks a lot.

Based on https://security.stackexchange.com/a/95184/172143 it might make sense to use the -dsaparam option for the openssl dhparam command. Instead of hours it takes just a while to generate and I still get an A+.

@geronime Yes, I had that advice posted in a comment at https://gist.github.com/jult/395ad9fd3e9773a54a67aaf689beab27 already.

SSLLabs recommends to remove RSA+AESGCM from the cipher-list (weak)

FYI: This directive appeared in version 1.3.7
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8; # google-public-dns-a.google.com

Here is my code for their resolver to support both IPv4 and IPv6 (Can disable IPv6 and will still work universal setup)

#Cloudflare resolver 1dot1dot1dot1.cloudflare-dns.com
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];

https://1.1.1.1/#explanation
https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/
https://blog.cloudflare.com/announcing-1111/

Fastest DNS resolvers in the world (1.1.1.1 is the fastest most secured and private unlike google)
https://www.dnsperf.com/#!dns-resolvers

ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1

needs to be changed to

ssl_protocols TLSv1.3 TLSv1.2;

per https://blog.qualys.com/product-tech/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols