A few non-standard things in place (because of my preference for Camellia over AES as a symmetric cypher) but that can always be changed if you want to prefer the use of Rijndael-based cyphers.
Code: Select all
server {
listen 80;
listen [::]:80;
server_name mydomain.org;
access_log off;
error_log /path/to/error.log;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/certs/mydomain.crt;
ssl_certificate_key /etc/nginx/certs/mydomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EDH+CAMELLIA:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:AES256:HIGH:AES128:CAMELLIA:!RC4:!3DES:!SEED:!aNULL:!LOW:!MD5:!EXP;
ssl_dhparam /etc/nginx/RSA4096.pem;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 4.2.2.1 8.8.4.4 valid=300s;
resolver_timeout 5s;
server_tokens off;
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1";
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "strict-origin-when-cross-origin";
server_name mydomain.org;
access_log /path/to/access-ssl.log;
error_log /path/to/error-ssl.log;
root /path/to/public_html;
client_max_body_size 25M;
[any specific location rules, e.g. for php, go here]
}
The first server {} block makes sure to redirect any http requests to https (not logging these redirections). Any errors are still logged to catch oddities/abuse/attacks.
Straight-forward and shouldn't be difficult to understand.
Code: Select all
listen 443 ssl http2;
listen [::]:443 ssl http2;
Code: Select all
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Code: Select all
ssl_ciphers EDH+CAMELLIA:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:AES256:HIGH:AES128:CAMELLIA:!RC4:!3DES:!SEED:!aNULL:!LOW:!MD5:!EXP;
Beyond that, preferring Elliptic Curve and Galois-Counter modes for cypher suites, sorting them in most secure to least secure order gives a very secure end result (forward secrecy is used in all supported clients). Weak/broken cyphers like RC4, 3DES, MD5-based HMAC, Export and low sec suites are all disabled.
Code: Select all
ssl_dhparam /etc/nginx/RSA4096.pem;
You can generate this with OpenSSL:
openssl dhparam -out RSA4096.pem -5 4096
Code: Select all
ssl_ecdh_curve secp384r1;
Code: Select all
ssl_prefer_server_ciphers on;
Code: Select all
ssl_session_cache shared:SSL:10m;
Code: Select all
# Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 4.2.2.1 8.8.4.4 valid=300s;
resolver_timeout 5s;
Code: Select all
server_tokens off;
Code: Select all
add_header Strict-Transport-Security "max-age=31536000;";
Code: Select all
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1";
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "strict-origin-when-cross-origin";
(If you want to know more about these headers, please inform yourself -- there are plenty of documents describing these features out on the web)
Result: And all supported clients (everything except IE/XP and old java versions, pretty much) will use forward secrecy.
Cypher strength is not maxed out on purpose, because we want to strike a balance here to keep maximum accessibility while not compromising security.
I hope this is of use to anyone out there