jemerick/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Configuring nginx for SSL SNI vhosts

Gotchas


Note that SHA2 hash algorithm may be not supported on older systems (Windows XP, Windows 2003, among others).
Be aware that mandatory https on SNI vhosts eliminate [Internet Explorer on Windows XP, among others]
(http://en.wikipedia.org/wiki/Server_Name_Indication#Web_browsers.5B6.5D).

Remarks


My version of konklones SSL config does not have SPDY support(my nginx+openssl does not support it)
You need a default ssl server (example.org-default.conf).
Some SSL-options have to be unique across your instance, so it's easier to have them in a common file(ssl.conf).
For updated ssl_ciphers, I refer you to these two sources

The original of this fork
The Mozilla SSL Config Generator


## example.com.conf
server {
	listen		443	ssl;
	server_name	example.com;

	# required: path to certificate and private key
	ssl_certificate			/opt/keys/example.com/example.com.unified.crt;
	ssl_certificate_key		/opt/keys/example.com/example.com.decrypted.key;

	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
	ssl_trusted_certificate		/opt/keys/example.com/example.com.unified+root.crt;

	# Include global SSL settings
	include /etc/nginx/ssl.conf;

	root   /usr/share/nginx/html;
	index  index.html index.htm;

	location / {
		proxy_pass  http://upstream;
	}
}

## example.org-default.conf
server {
	listen		443	ssl    default_server;
	server_name	example.org;

	# required: path to certificate and private key
	ssl_certificate			/opt/keys/example.org/example.org.unified.crt;
	ssl_certificate_key		/opt/keys/example.org/example.org.decrypted.key;

	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
	ssl_trusted_certificate		/opt/keys/example.org/example.org.unified+root.crt;

	# Include global SSL settings
	include /etc/nginx/ssl.conf;

	root   /usr/share/nginx/html;
	index  index.html index.htm;

	location / {
		proxy_pass  http://upstream;
	}
}

## ssl.conf
# Basically the nginx configuration I use at konklone.com.
# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
#
# To provide feedback, please tweet at @konklone or email eric@konklone.com.
# Comments on gists don't notify the author.
#
# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.

# HTTP Strict Transport Security: tells browsers to require https:// without first checking
# the http:// version for a redirect. Warning: it is difficult to change your mind.
#
#    max-age: length of requirement in seconds (31536000 = 1 year)
#    includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want)
#    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
#
#    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

# If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
add_header Strict-Transport-Security 'max-age=31536000';

# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
#
# Forces forward secrecy in all browsers and clients that can use TLS,
# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
#
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';

# Now let's really get fancy, and pre-generate a 2048 bit random parameter
# for DH elliptic curves. If not created and specified, default is only 1024 bits.
#
# Generated by OpenSSL with the following command:
#   openssl dhparam -outform pem -out dhparam2048.pem 2048
ssl_dhparam /path/to/dhparam2048.pem;

# Cut out the old, broken, insecure SSLv2 and SSLv3 entirely.
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;


# optional: turn on session resumption, using a 10 min cache shared across nginx processes
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout   70;

# Buffer size of 1400 bytes fits in one MTU.
# nginx 1.5.9+ ONLY
ssl_buffer_size 1400;

# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
# and send them to clients so clients don't make their own OCSP calls.
# https://en.wikipedia.org/wiki/OCSP_stapling
#
# while the ssl_certificate above may omit the root cert if the CA is trusted,
# ssl_trusted_certificate below must point to a chain of **all** certs
# in the trust path - (your cert, intermediary certs, root cert)
#
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
# nginx will use them to talk to the CA.
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
	server {
	listen 443 ssl;
	server_name example.com;

	# required: path to certificate and private key
	ssl_certificate /opt/keys/example.com/example.com.unified.crt;
	ssl_certificate_key /opt/keys/example.com/example.com.decrypted.key;

	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
	ssl_trusted_certificate /opt/keys/example.com/example.com.unified+root.crt;

	# Include global SSL settings
	include /etc/nginx/ssl.conf;

	root /usr/share/nginx/html;
	index index.html index.htm;

	location / {
	proxy_pass http://upstream;
	}
	}
	server {
	listen 443 ssl default_server;
	server_name example.org;

	# required: path to certificate and private key
	ssl_certificate /opt/keys/example.org/example.org.unified.crt;
	ssl_certificate_key /opt/keys/example.org/example.org.decrypted.key;

	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
	ssl_trusted_certificate /opt/keys/example.org/example.org.unified+root.crt;

	# Include global SSL settings
	include /etc/nginx/ssl.conf;

	root /usr/share/nginx/html;
	index index.html index.htm;

	location / {
	proxy_pass http://upstream;
	}
	}
	# Basically the nginx configuration I use at konklone.com.
	# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
	#
	# To provide feedback, please tweet at @konklone or email eric@konklone.com.
	# Comments on gists don't notify the author.
	#
	# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
	# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.

	# HTTP Strict Transport Security: tells browsers to require https:// without first checking
	# the http:// version for a redirect. Warning: it is difficult to change your mind.
	#
	# max-age: length of requirement in seconds (31536000 = 1 year)
	# includeSubdomains: force SSL for ALL subdomains (remove if this is not what you want)
	# preload: indicates you want browsers to ship with HSTS preloaded for your domain.
	#
	# Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
	#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

	# If you won't/can't turn on HTTPS for all subdomains, use this simpler version:
	add_header Strict-Transport-Security 'max-age=31536000';

	# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
	#
	# Forces forward secrecy in all browsers and clients that can use TLS,
	# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
	#
	# Reference client: https://www.ssllabs.com/ssltest/analyze.html
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';

	# Now let's really get fancy, and pre-generate a 2048 bit random parameter
	# for DH elliptic curves. If not created and specified, default is only 1024 bits.
	#
	# Generated by OpenSSL with the following command:
	# openssl dhparam -outform pem -out dhparam2048.pem 2048
	ssl_dhparam /path/to/dhparam2048.pem;

	# Cut out the old, broken, insecure SSLv2 and SSLv3 entirely.
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;


	# optional: turn on session resumption, using a 10 min cache shared across nginx processes
	# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	keepalive_timeout 70;

	# Buffer size of 1400 bytes fits in one MTU.
	# nginx 1.5.9+ ONLY
	ssl_buffer_size 1400;

	# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
	# and send them to clients so clients don't make their own OCSP calls.
	# https://en.wikipedia.org/wiki/OCSP_stapling
	#
	# while the ssl_certificate above may omit the root cert if the CA is trusted,
	# ssl_trusted_certificate below must point to a chain of all certs
	# in the trust path - (your cert, intermediary certs, root cert)
	#
	# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
	# nginx will use them to talk to the CA.
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;