Nginx SSL example

***
This post dates from 2014 and I would recommend to use the Mozilla SSL Configuration Generator to get a more accurate configuration: https://ssl-config.mozilla.org/
***

This post is more of a reminder for myself but it might help others, it shows a example of how to setup a good vhost with SSL support that gives a A+ rating with a (100/95/100/100) score.

Example of my website:
https://www.ssllabs.com/ssltest/analyze.html?d=ulyaoth.com

Nginx SSL example.

server {
  listen 80;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  server_name test.ulyaoth.net;
  return 301 https://test.ulyaoth.net$request_uri;
}

server {
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server ipv6only=on;
  server_name test.ulyaoth.net;

  root /srv/nginx/test.ulyaoth.net/public;
  index index.php;

  access_log /var/log/nginx/test.ulyaoth.net/access.log main;
  error_log /var/log/nginx/test.ulyaoth.net/error.log;

if ($http_user_agent ~ "Windows 95|Windows 98|biz360.com|xpymep|TurnitinBot|sindice|Purebot|libwww-perl") {
  return 403;
  break;
}

  ssl_certificate /etc/nginx/ssl/test.ulyaoth.net.pem;
  ssl_certificate_key /etc/ssl/certs/test.ulyaoth.net.key;
  ssl_dhparam /etc/nginx/ssl/dhparams.pem;
  ssl_session_cache builtin:1000 shared:SSL:2m;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

  ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA;

  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
  ssl_trusted_certificate /etc/ssl/certs/test.ulyaoth.net.ca;

  add_header Strict-Transport-Security "max-age=31536000;";
  add_header X-Frame-Options DENY;
  add_header Public-Key-Pins "pin-sha256=\"zco8Bhue8GQPxzzGd9unFQteH9JAk4VUxsofgGUkb7k=\"; max-age=172800;";

location = /favicon.ico {
  alias /srv/nginx/test.ulyaoth.net/public/favicon.ico;
}

location ~ /\.ht {
  deny all;
}

location / {
}
}

To get your “Public key pin” you can use the command:

$ openssl rsa -in test.ulyaoth.net.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

Of course use your own key file.

If anyone has a better way of a more secure way feel free to show me I would like to see more examples or learn more about it.

You can test it yourself on this website: https://www.ssllabs.com/ssltest/index.html

Blush Blush (2019)

Crush Crush (2016)

Counter-Strike: Source (2004)

Counter-Strike: Global Offensive (2012)

Engineering has never stopped transforming the human imagination

How to install MongoDB 4.0 in replication on…

How to install Elastic Stack 6.6 on Windows…

How to install and configure the AWS CLI…

How to host an HTML5 website on AWS…

8 Most Incredible Places To Visit In Japan

Nginx SSL example

Sjir Bagmeijer

Securing the Remote Workforce: Managing External Endpoints and Their Users

6 Common Reasons for Cybersecurity Incidents

Two Examples of Phishing Tactics Targeting Your Employees

CISA Releases New Ransomware Readiness Assessment Tool

Cybersecurity Considerations for Operation of Commercial Drones

How to install a graphical desktop on CentOS 8

Run a cheap website on AWS S3 and CloudFront

How to install Google Chrome on Windows Server 2019

Editor's Picks

Securing the Remote Workforce: Managing External Endpoints and Their Users

6 Common Reasons for Cybersecurity Incidents

Two Examples of Phishing Tactics Targeting Your Employees

RECENT POST

Securing the Remote Workforce: Managing External Endpoints and Their Users

6 Common Reasons for Cybersecurity Incidents

Two Examples of Phishing Tactics Targeting Your Employees

NEWS

Ulyaoth Repository – End of Life

Related posts