Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A secure SSL certificate configuration for Nginx (Dec 2013) which mitigates most known vulnerabilities whilst providing good browser coverage and a grade A rating on the GlobalSign SSL cert checker (https://sslcheck.globalsign.com/en_GB)
ssl on;
ssl_certificate /path/to/certs/thedotproduct.org.pem;
ssl_certificate_key /path/to/certs/thedotproduct.org.key.unsigned;
# References used along with my own work:
# https://raymii.org/s/tutorials/Pass_the_SSL_Labs_Test_on_NGINX_(Mitigate_the_CRIME_and_BEAST_attack_-_Disable_SSLv2_-_Enable_PFS).html
# https://coderwall.com/p/ebl2qa
# http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# http://code-bear.com/bearlog/2013/06/26/nginx-ssl-config-for-forward-secrecy/
# https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers
ssl_ciphers EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
# http://unmitigatedrisk.com/?p=354
resolver 8.8.8.8;
ssl_stapling on;
ssl_trusted_certificate /etc/nginx/certs/thedotproduct.org.pem;
# http://www.westphahl.net/blog/2012/01/03/setting-up-https-with-nginx-and-startssl/
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.