TRENDING NOW

Are our infrastructures secure?

The dinosaur who saved the day

What is sociology?

Security Software & Tools Tips – April…

Courses I did to become a cloud…

Security Software & Tools Tips – March…

Application of Biotechnology

How to install Elastic Stack 6.6 on…

Security Software & Tools Tips – February…

Security Software & Tools Tips – January…

Tips & Tricks

Nginx SSL example

by Sjir Bagmeijer0199

This post is more of a reminder for myself but it might help others, it shows a example of how to setup a good vhost with SSL support that gives a A+ rating with a (100/95/100/100) score.

Example of my website:
https://www.ssllabs.com/ssltest/analyze.html?d=ulyaoth.com

Nginx SSL example.

server {
  listen 80;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  server_name test.ulyaoth.net;
  return 301 https://test.ulyaoth.net$request_uri;
}

server {
  listen       443 ssl default_server;
  listen  [::]:443 ssl default_server ipv6only=on;
  server_name  test.ulyaoth.net;

  root         /srv/nginx/test.ulyaoth.net/public;
  index        index.php;

  access_log  /var/log/nginx/test.ulyaoth.net/access.log main;
  error_log   /var/log/nginx/test.ulyaoth.net/error.log;


if ($http_user_agent ~ "Windows 95|Windows 98|biz360.com|xpymep|TurnitinBot|sindice|Purebot|libwww-perl")  {
  return 403;
  break;
}

  ssl_certificate             /etc/nginx/ssl/test.ulyaoth.net.pem;
  ssl_certificate_key         /etc/ssl/certs/test.ulyaoth.net.key;
  ssl_dhparam                 /etc/nginx/ssl/dhparams.pem;
  ssl_session_cache           builtin:1000  shared:SSL:2m;
  ssl_session_timeout         5m;
  ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers   on;

  ssl_ciphers  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA;

  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
  ssl_trusted_certificate /etc/ssl/certs/test.ulyaoth.net.ca;

  add_header Strict-Transport-Security "max-age=31536000;";
  add_header X-Frame-Options DENY;
  add_header Public-Key-Pins "pin-sha256=\"zco8Bhue8GQPxzzGd9unFQteH9JAk4VUxsofgGUkb7k=\"; max-age=172800;";

location = /favicon.ico {
  alias  /srv/nginx/test.ulyaoth.net/public/favicon.ico;
}

location ~ /\.ht {
  deny all;
}

location / {
}
}

To get your “Public key pin” you can use the command:
$ openssl rsa -in test.ulyaoth.net.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

Of course use your own key file.

If anyone has a better way of a more secure way feel free to show me I would like to see more examples or learn more about it.

You can test it yourself on this website: https://www.ssllabs.com/ssltest/index.html

Sjir Bagmeijer
Sjir has over 15 years of experience in information technology, having done various positions at companies such as Blizzard Entertainment and Bonnier Broadcasting. Wielding multiple Security certificates such as Security+ and CySA+ (Cybersecurity Analyst), he currently works for Basefarm as an information security engineer.

Related posts

Rack::OnePiece

Sjir Bagmeijer

How to set a white background in Windows and Windows server

Sjir Bagmeijer

How to fix the “Pane is dead” error during the installation of Fedora on a HP Proliant server

Sjir Bagmeijer