***
This post dates from 2014 and I would recommend to use the Mozilla SSL Configuration Generator to get a more accurate configuration: https://ssl-config.mozilla.org/
***
This post is more of a reminder for myself but it might help others, it shows a example of how to setup a good vhost with SSL support that gives a A+ rating with a (100/95/100/100) score.
Example of my website:
https://www.ssllabs.com/ssltest/analyze.html?d=ulyaoth.com
Nginx SSL example.
server {
listen 80;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
server_name test.ulyaoth.net;
return 301 https://test.ulyaoth.net$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;
server_name test.ulyaoth.net;
root /srv/nginx/test.ulyaoth.net/public;
index index.php;
access_log /var/log/nginx/test.ulyaoth.net/access.log main;
error_log /var/log/nginx/test.ulyaoth.net/error.log;
if ($http_user_agent ~ "Windows 95|Windows 98|biz360.com|xpymep|TurnitinBot|sindice|Purebot|libwww-perl") {
return 403;
break;
}
ssl_certificate /etc/nginx/ssl/test.ulyaoth.net.pem;
ssl_certificate_key /etc/ssl/certs/test.ulyaoth.net.key;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_cache builtin:1000 shared:SSL:2m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/ssl/certs/test.ulyaoth.net.ca;
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Frame-Options DENY;
add_header Public-Key-Pins "pin-sha256=\"zco8Bhue8GQPxzzGd9unFQteH9JAk4VUxsofgGUkb7k=\"; max-age=172800;";
location = /favicon.ico {
alias /srv/nginx/test.ulyaoth.net/public/favicon.ico;
}
location ~ /\.ht {
deny all;
}
location / {
}
}To get your “Public key pin” you can use the command:
$ openssl rsa -in test.ulyaoth.net.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64Of course use your own key file.
If anyone has a better way of a more secure way feel free to show me I would like to see more examples or learn more about it.
You can test it yourself on this website: https://www.ssllabs.com/ssltest/index.html
