Table of contents
Security Layer
- SSL - secure socket layer (deprecated)
- TLS - transport layer security (current supported)
Generate DH param
openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
#this dhparam must match the key and crt
Sample server configuration
user www-data;
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mine.type;
#redirect all traffic to https
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
server {
server_name example.com;
root /var/www/example.com;
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/self.crt;
ssl_certificate_key /etc/nginx/ssl/self.key;
#define protocol to disable ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#optimise cipher suits
ssl_prefer_server_ciphers on;
#suits combination
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
#enable DH parameters, allow server to have secrecy
ssl_dhparam /etc/nginx/ssl/dhparam.pem; # need to generate
#enable HSTS
add_header Strict-Transport-Security "max-age=31336000" always;
#Cache SSL sessions
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 4h;
ssl_session_tickets on;
}
}