- Documentation:
- NGINX ssl module
- Mozilla’s Server Side TLS Documentation
- Add session caching so that fewer SSL handshakes need to be made.
- The initial handshake is the most taxing part of the process, and if we can avoid repeating it then we’ll improve our overall performance.
$ vim /etc/nginx/conf.d/default.conf ssl_certificate /etc/nginx/ssl/public.pem; ssl_certificate_key /etc/nginx/ssl/private.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;
- ssl_session_timeout - set’s how long a session can persist
- ssl_session_cache - set’s the number of sessions to cache. The shared value indicates that it can be used by all NGINX processes. One megabyte of space can hold about 4,000 sessions
- ssl_sessions_tickets - SSL Tickets are an idea where encrypted session information is stored on the client instead of the server. We’re opting to not use tickets
- Configuring TLS protocols and cipher(Here we expect that clients will use modern updated browsers).
$ vim /etc/nginx/conf.d/default.conf ssl_certificate /etc/nginx/ssl/public.pem; ssl_certificate_key /etc/nginx/ssl/private.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Enabe TLS protocol and add ssl_cipher ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on;
- This cipher config is suggested by mozilla
- HSTS is a way to have NGINX tell the client that it should never interact with our domain using HTTP, and we add this using a header.
$ vim /etc/nginx/conf.d/default.conf ssl_certificate /etc/nginx/ssl/public.pem; ssl_certificate_key /etc/nginx/ssl/private.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # 15768000 is roughly 6 months add_header Strict-Transport-Security max-age=15768000;
- Browser that receives a response from our server will refuse to send traffic over HTTP to our domain for the duration of
max-age
. - The client will need to make a separate request to verify the validity of a certificate from the issuer, but with OSCP stapling, the server can make that request and cache it for awhile to return that information with the initial handshake.
ssl_certificate /etc/nginx/ssl/public.pem; ssl_certificate_key /etc/nginx/ssl/private.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # 15768000 is roughly 6 months add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on;
- Check configuration
$ nginx -t # Output nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/ssl/public.pem" nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
- If you see the above warning that means your certificate is not signed by a authorized certificate authority.