Tips & Tricks

Nginx SSL example

This post is more of a reminder for myself but it might help others, it shows a example of how to setup a good vhost with SSL support that gives a A+ rating with a (100/95/100/100) score.

Example of my website:
https://www.ssllabs.com/ssltest/analyze.html?d=ulyaoth.com

Nginx SSL example.
[js]server {
listen 80;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
server_name test.ulyaoth.net;
return 301 https://test.ulyaoth.net$request_uri;
}

server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;
server_name test.ulyaoth.net;

root /srv/nginx/test.ulyaoth.net/public;
index index.php;

access_log /var/log/nginx/test.ulyaoth.net/access.log main;
error_log /var/log/nginx/test.ulyaoth.net/error.log;

if ($http_user_agent ~ “Windows 95|Windows 98|biz360.com|xpymep|TurnitinBot|sindice|Purebot|libwww-perl”) {
return 403;
break;
}

ssl_certificate /etc/nginx/ssl/test.ulyaoth.net.pem;
ssl_certificate_key /etc/ssl/certs/test.ulyaoth.net.key;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_cache builtin:1000 shared:SSL:2m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/ssl/certs/test.ulyaoth.net.ca;

add_header Strict-Transport-Security “max-age=31536000;”;
add_header X-Frame-Options DENY;
add_header Public-Key-Pins “pin-sha256=\”zco8Bhue8GQPxzzGd9unFQteH9JAk4VUxsofgGUkb7k=\”; max-age=172800;”;

location = /favicon.ico {
alias /srv/nginx/test.ulyaoth.net/public/favicon.ico;
}

location ~ /\.ht {
deny all;
}

location / {
}
}[/js]

To get your “Public key pin” you can use the command:
$ openssl rsa -in test.ulyaoth.net.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

Of course use your own key file.

If anyone has a better way of a more secure way feel free to show me I would like to see more examples or learn more about it.

You can test it yourself on this website: https://www.ssllabs.com/ssltest/index.html

Related posts

How to fix the “Pane is dead” error during the installation of Fedora on a HP Proliant server

Sjir Bagmeijer

How to set a white background in Windows and Windows server

Sjir Bagmeijer

How to create a SELinux policy module file

Sjir Bagmeijer

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More