Created
October 13, 2016 10:08
-
-
Save kaushikgandhi/663e6e47d8a42025e848e454f5e064c4 to your computer and use it in GitHub Desktop.
Nginx SSL Configuration Steps for passing all vulnerability tests.( Qualys SSL Test )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add SSL ciphers : | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
Fix OpenSSL Padding Oracle vulnerability : | |
https://gist.github.com/ArturT/bc8836d3bedff801dc324ac959050d12 | |
ADD SSL protocols: | |
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
Set Preferred ciphers should be on: | |
ssl_prefer_server_ciphers on; | |
in the server block we should enable TCP v6 and v4 support | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
add default_server in the above block | |
listen 443 default_server ssl; | |
listen [::]:443 default_server ssl; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment