This guide provides you with a basic NGINX configuration for a site you wish to use it on. It provides server { } blocks for both ports 80 and 443 with a basic SSL configuration in place.
The configuration below ensures the following:
- TLSv1.2 is the only version of TLS offered. (ssl_protocols)
- That the server’s ciphers are prioritised over the client’s ciphers. (ssl_prefer_server_ciphers)
- That the only ciphers offered are those deemed secure with strong and complex algorithms. (ssl_ciphers)
- The stapling of OCSP (Online Certificate Status Protocol) responses by the server are enabled as well as their verification. (ssl_stapling, ssl_stapling_verify)
The configuration and settings used should provide high grades and results when it comes to using popular online SSL testing tools. It is worth testing the SSL configuration regularly to ensure the most secure configuration is still in place. You can change any part of the configuration below to suit your needs. It is just a guideline for those wishing for a strong SSL configuration out of the box.
If you haven’t generated your DH parameters for use with DHE ciphers, you can do this through openssl using the following commands:
##Enter the directory if you haven't already cd /etc/nginx/ssl
##Generate the DH parameters using openssl openssl dhparam -out dhparam.pem 4096
This generates and then outputs your DH parameters to a file called dhmparam.pem with a 4096 bit key size. The full path should be the same as specified in your NGINX configuration file with the ssl_dhparam directive, as shown below.
yourdomain.co.uk.conf – You will need an SSL installed for this configuration to work correctly.
server { listen 443 ssl; listen [::]:443 ssl; server_name yourdomain.co.uk; port_in_redirect off; ssl_certificate /etc/nginx/ssl/_fullchain.pem; ssl_certificate_key /etc/nginx/ssl/yourdomain_co_uk_key.pem; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_ecdh_curve secp384r1; ssl_stapling on; ssl_stapling_verify on; ssl_session_tickets off; ssl_session_cache shared:SSL:20m; ssl_session_timeout 60m; add_header Strict-Transport-Security "max-age=31536000"; add_header X-Content-Type-Options nosniff; location / { proxy_pass http://127.0.0.1:80; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header HTTPS "on"; access_log /home/your_user/_logs/www.access.log; error_log /home/your_user/_logs/www.error.log; } } server { listen 80; server_name yourdomain.co.uk; root "/home/your_user/yourdomain.co.uk"; index index.php; port_in_redirect off; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS on; fastcgi_pass unix:/var/run/php-fpm-name_fpm.sock; } }
Classification: Public
Last saved: 2019/11/27 at 16:03 by