# # /usr/local/etc/nginx/conf.d/ssl.conf # # SSL/TLS settings for Nginx # # Aaron LI # 2017-04-25 # # Credits # ------- # * Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd # https://cipherli.st/ # * Strong SSL Security on nginx # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # * Mozilla - Security - Server Side TLS # https://wiki.mozilla.org/Security/Server_Side_TLS # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # * Let's Encrypt & Nginx # https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/ # * Nginx SSL and TLS Deployment Best Practice # https://www.linode.com/docs/web-servers/nginx/nginx-ssl-and-tls-deployment-best-practices # * Best nginx configuration for improved security (and performance) # https://gist.github.com/plentz/6737338 # * Hardening your HTTP response headers # https://scotthelme.co.uk/hardening-your-http-response-headers/ # # Tools # ----- # * Qualys SSL Labs SSL Server Test # https://www.ssllabs.com/ssltest/ # * Security Headers Analyzer # https://securityheaders.io/ # # Diffie-Hellman group: # $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096 ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem; # Only use the latest TLS protocols # NOTE: TLSv1.3 requires Nginx >=1.13 and OpenSSL 1.1.1 with TLSv1.3 ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; # Credit: https://github.com/mozilla/server-side-tls/issues/135 ssl_session_tickets off; # The Online Certificate Status Protocol (OCSP) was created to speed up # the process that operating systems and browsers use to check for # certificate revocation. # Allow the server to send its cached OCSP record to the client during # the TLS handshake, bypassing the OCSP responder and saving a roundtrip # between the client and the OCSP responder. # # NOTE: If the "ssl_certificate" file does NOT contain intermediate # certificates, the certificate of the server certificate issuer # should be present in the "ssl_trusted_certificate" file. # ssl_stapling on; ssl_stapling_verify on;