Link Search Menu Expand Document
Table of contents

Security Layer

  • SSL - secure socket layer (deprecated)
  • TLS - transport layer security (current supported)
    • disable ssl
    • enable tls

Generate DH param

openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
    #this dhparam must match the key and crt

Sample server configuration

user www-data;
worker_processes auto;

events {
    worker_connections 1024;

http {
    include mine.type; 

    #redirect all traffic to https
    server {
        listen 80;
        return 301 https://$host$request_uri;

    server {
        root /var/www/;

        listen 443 ssl http2;
        ssl_certificate /etc/nginx/ssl/self.crt;
        ssl_certificate_key /etc/nginx/ssl/self.key;

        #define protocol to disable ssl 
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        #optimise cipher suits 
        ssl_prefer_server_ciphers on;
        #suits combination 
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; 

        #enable DH parameters, allow server to have secrecy 
        ssl_dhparam /etc/nginx/ssl/dhparam.pem; # need to generate

        #enable HSTS
        add_header Strict-Transport-Security "max-age=31336000" always;

        #Cache SSL sessions 
        ssl_session_cache shared:SSL:40m;
        ssl_session_timeout 4h;
        ssl_session_tickets on;