/Secure SSL certificate configuration for Nginx (Grade A on GlobalSign SSL certificate checker)
Last active Dec 30, 2015
A secure SSL certificate configuration for Nginx (Dec 2013) which mitigates most known vulnerabilities whilst providing good browser coverage and a grade A rating on the GlobalSign SSL cert checker (https://sslcheck.globalsign.com/en_GB)
| ssl on; | |
| ssl_certificate /path/to/certs/thedotproduct.org.pem; | |
| ssl_certificate_key /path/to/certs/thedotproduct.org.key.unsigned; | |
| # References used along with my own work: | |
| # https://raymii.org/s/tutorials/Pass_the_SSL_Labs_Test_on_NGINX_(Mitigate_the_CRIME_and_BEAST_attack_-_Disable_SSLv2_-_Enable_PFS).html | |
| # https://coderwall.com/p/ebl2qa | |
| # http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
| # http://code-bear.com/bearlog/2013/06/26/nginx-ssl-config-for-forward-secrecy/ | |
| # https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers | |
| ssl_ciphers EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout | |
| ssl_session_cache shared:SSL:20m; | |
| ssl_session_timeout 60m; | |
| # http://unmitigatedrisk.com/?p=354 | |
| resolver 8.8.8.8; | |
| ssl_stapling on; | |
| ssl_trusted_certificate /etc/nginx/certs/thedotproduct.org.pem; | |
| # http://www.westphahl.net/blog/2012/01/03/setting-up-https-with-nginx-and-startssl/ | |
| add_header Strict-Transport-Security max-age=31536000; | |
| add_header X-Frame-Options DENY; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment