Steven SullivanSteven Sullivan - 12th May 2016

Security is paramount these days and visitors to your website want to know their browsing and transmission of data is 100% safe. How do you test this? At Quality SSL Labs of course! It’s time to secure your NGINX install once-and-for-all.

As of today, my blog is running Let’s Encrypt – the absolutely free SSL Certificate authority and my rating is A+ (I’m OK with that!) at Quality SSL Labs. Before with a default install of NGINX and VestaCP my rating was B.

My rating was a B due to the fact I had Weak Diffie-Hellman (and I couldn’t get any higher!) and was susceptible to the Logjam Attack. You can find out more information about Diffie-Hellman and test your website here; after I secured that, I could only get an A, so I modified NGINX more until I got an A+.

It’s time to secure your NGINX install

It’s such an easy task what I’m about to show you, so do it if you want an A+ in SSL.

First, you need to fix the Diffie-Hellman issue:

openssl dhparam -out /etc/nginx/dhparams.pem 4096

This places a new file under the NGINX directory: /etc/nginx/dhparams.pem

Open up the file /etc/nginx/nginx.conf. If you’re using VestaCP find the line # SSL PCI Compliance and replace it with the following:

# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

If you’re not using VestaCP make sure there are no duplicates then paste it into the configuration file.

As you have noticed the default ssl_ciphers above has been changed in the default VestaCP install. The previous install allowed IE6 (that really old browser no one uses anymore) SSL certificates to work. The new  ssl_ciphers I have suggested means IE6 throws a security certificate error. That’s the price we are going to pay.

Let’s see if NGINX says it’s OK

Run this command: service nginx configtest to see if NGINX reports that the “syntax is ok”. If so, go ahead and restart NGINX using service nginx restart.

Test it again

If all goes well, pop over to Quality SSL Labs and test it again. This time you should get an A+.