Differences

This shows you the differences between two versions of the page.

--- nginx:tls [2015-03-07 02:27] – created gabriel
+++ nginx:tls [2015-03-18 11:40] (current) – [Basic nginx configuration] gabriel
@@ Line 1: / Line 1: @@
 ====== Transport Layer Security ======
+This page will document some sane settings for modern TLS security in nginx.  I'm not particularly interested in backwards compatibility for this environment so I won't be spending much time on supporting broken browsers or operating systems which should be deprecated.  I realize this can be frustrating for some people, but given the revelations of the past couple of years regarding the use of insecure crypto you're probably better of just ignoring crypto completely than trying to implement questionable systems.
+===== Basic nginx configuration =====
+<code>
+  # SSL configuration
+  listen 443 ssl spdy default_server;
+  ssl_certificate /etc/ssl/localcerts/mycert.chained.crt;
+  ssl_certificate_key /etc/ssl/localcerts/mycert.key;
+  # OCSP stapling support
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_trusted_certificate /etc/ssl/localcerts/ocsp-chain.crt;
+  # HTTP Strict Transport Security header
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+  # enables all versions of TLS, but not SSLv2 or 3 which are weak and now
+  # deprecated or TLSv1 which has its own problems
+  ssl_protocols TLSv1.1 TLSv1.2;
+  ssl_prefer_server_ciphers on;
+  # disables all weak ciphers and prefers AESGCM but fall back to other
+  # elliptic curve ciphers if necessary
+  ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!eNULL:!EXPORT:!MEDIUM:!LOW:!DES:!MD5:!SHA1:!PSK:!RC4";
+</code>
+===== TLS/SSL tips and tricks =====
 TLS/SSL Server Test: https://www.ssllabs.com/ssltest/index.html