Get a good SSL security for your website
- letsencrypt
- strong-DH-group
- Public Key Pinning
- certificatechain.io
- cert-chain-resolver
- https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/
- sha1-deprecation-what-you-need-to-know
- https://thecustomizewindows.com/2015/05/nginx-ssl-certificate-incomplete-chain-issues-fix/
- https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
- https://www.octopuce.fr/accelerer-votre-ssl-tls-avec-ocsp-stapling/
- https://www.abyssproject.net/2016/11/a-la-recherche-de-la-configuration-parfaite-pour-nginx/
- Get your
domain.keyanddomain.crtfiles from your provider. - Chain your certificate.
- Copy
domain.keyanddomain-chained.crtto your server. - On your server, chown your files to root
- Move the chained certificate to
/etc/ssl/certsand the key to/etc/ssl/private
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt --depth=1
$ sudo /opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --webroot --webroot-path /var/www/domain.com -d domain.com
Accept ToS and set your address email to be notified.
Certificates to use are available in /etc/letencrypt/live/domain.com
Optionnaly, add a weekly crontab for root to renew automatically if needed:
30 3 * * 0 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt.log
Edit your nginx block conf and add the acme-challenge location:
location ~ ^/.well-known {
root /var/www/domain.org/current;
}
location /.well-known/acme-challenge {
default_type "text/plain";
root /tmp/letsencrypt-auto;
}
Restart nginx and issue for example a staging SSL certifcate:
$ acme.sh --staging --issue -d domain.org -w /var/www/domain.org/current
[Wed May 20 12:13:37 UTC 2020] Your cert is in /home/debian/.acme.sh/domain.org/domain.org.cer
[Wed May 20 12:13:37 UTC 2020] Your cert key is in /home/debian/.acme.sh/domain.org/domain.org.key
[Wed May 20 12:13:37 UTC 2020] The intermediate CA cert is in /home/debian/.acme.sh/domain.org/ca.cer
[Wed May 20 12:13:37 UTC 2020] And the full chain certs is there: /home/debian/.acme.sh/domain.org/fullchain.cerThen a your SSL block in nginx.
- Ask a SHA256 certicate algorithm to your provider : sha1-deprecation-what-you-need-to-know
- Chain your certificate : certificatechain.io
- Use a Strong DH Group : strong-DH-group
- Generate a SSL ticket : `sudo openssl rand 48 -out /etc/nginx/ssl/ticket.key
[...]
listen 443 http2 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/domain-chained.crt;
ssl_certificate_key /etc/ssl/private/domain.key;
# Protocols and cyphers
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/private/dhparams.pem;
# SSL Session
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
# HTTP Strict Transport Security
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# HTTP Public Key Pinning
add_header Public-Key-Pins 'pin-sha256="xxx"; pin-sha256="yyy"; max-age=zzz; includeSubDomains';
# OSCP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/domain.com/fullchain.pem
# Resolver (Google DNS, Open DNS, Dyn DNS)
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 3s;
[...]