# | |
# Name: nginx-tls.conf | |
# Auth: Gavin Lloyd <gavinhungry@gmail.com> | |
# Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating | |
# | |
# Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related | |
# to SSL/TLS are not included here. | |
# | |
# Additional tips: | |
# | |
# * Enable CAA DNS record: https://sslmate.com/caa | |
# | |
# Example: https://www.ssllabs.com/ssltest/analyze.html?d=gavinhungry.com | |
# | |
server { | |
listen [::]:80; | |
listen 80; | |
server_name domain.tld www.domain.tld; | |
# Redirect all non-https requests | |
rewrite ^ https://$host$request_uri? permanent; | |
} | |
server { | |
listen [::]:443 ssl http2 default_server; | |
listen 443 ssl http2 default_server; | |
server_name domain.tld www.domain.tld; | |
# Certificate(s) and private key | |
ssl_certificate /etc/ssl/domain.crt; | |
ssl_certificate_key /etc/ssl/domain.key; | |
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 | |
ssl_dhparam /etc/ssl/ffdhe4096.pem; | |
# Or, generate random dhparam | |
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem | |
# ssl_dhparam /etc/ssl/dhparam.pem; | |
ssl_protocols TLSv1.3 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ecdh_curve secp521r1:secp384r1; | |
ssl_ciphers EECDH+AESGCM:EECDH+AES256; | |
ssl_session_cache shared:TLS:2m; | |
ssl_buffer_size 4k; | |
# OCSP stapling | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare | |
# Set HSTS to 365 days | |
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; | |
} |
This comment has been minimized.
This comment has been minimized.
Works great with few modifications... The spdy option has been superseded with http2 Also I would recommend expanding your resolver line: resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] |
This comment has been minimized.
This comment has been minimized.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ... if you want A+ on a subdomain ... also, if using Let's encrypt and you want a score of 100 on key exchange then you must generate them with the flag --rsa-key-size 4096 and the usual openssl dhparam -out dhparam.pem 4096 |
This comment has been minimized.
This comment has been minimized.
Based on this config, 5 others and some extensive testing, I have put together a config that describes exactly how each NGINX directive will effect your SSL Labs score - see http://stackoverflow.com/questions/41930060/how-do-you-score-a-with-100-on-all-categories-on-ssl-labs-test-with-lets-encry - thanks for helping me put it together |
This comment has been minimized.
This comment has been minimized.
You can use dnsmasq for even faster and more secure lookups for the resolver entry, and then use my include= example |
This comment has been minimized.
This comment has been minimized.
I'd rather go for the |
This comment has been minimized.
This comment has been minimized.
worked for me without OSCP stalping, |
This comment has been minimized.
This comment has been minimized.
Based on https://security.stackexchange.com/a/95184/172143 it might make sense to use the |
This comment has been minimized.
This comment has been minimized.
Here is my code for their resolver to support both IPv4 and IPv6 (Can disable IPv6 and will still work universal setup)
https://1.1.1.1/#explanation Fastest DNS resolvers in the world (1.1.1.1 is the fastest most secured and private unlike google) |
This comment has been minimized.
This comment has been minimized.
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 needs to be changed to ssl_protocols TLSv1.3 TLSv1.2; per https://blog.qualys.com/product-tech/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols |
This comment has been minimized.
This comment has been minimized.
Doesn't seem to work. I still get warnings on all CBC ciphers so I only get an A, not A+: `
|
This comment has been minimized.
This comment has been minimized.
Note the last update to this gist was on Nov 2, 2018 |
This comment has been minimized.
This comment has been minimized.
@ItsIrv @dbrossard @dlangille, Thanks for the reminders that I've been letting this stagnate. I've just now applied what I think are sensible updates - feedback/tips/corrections welcome. |
This comment has been minimized.
This comment has been minimized.
Take anything you like from what I just put up: https://github.com/FreshPorts/nginx-config/blob/main/virtualhost-common-ssl.conf |
This comment has been minimized.
Sweet example! Thanks a bunch :D!