Nginx SSL Labs A+

Nginx SSL Labs A+

To get a high secure SSL installation on Nginx you should use the following config. With this settings you also get on A+.

SSL Labs A+
SSL Labs A+

It is important to create the Forward Secrecy & Diffie Hellman Ephemeral Parameters.

You can create the dhparm.pem with openssl

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;
ssl_certificate /etc/nginx/ssl/safematix/www_safematix_com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/www_safematix_com.key;
ssl_trusted_certificate /etc/nginx/ssl/safematix/ca.pem;

ssl_dhparam /etc/nginx/ssl/safematix/www_safematix_com_dhparam.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
add_header Strict-Transport-Security max-age=15768000; # six months
# use this only if all subdomains support HTTPS!
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.