How to configure HTTPS on nginx to get an SSL A+ score from Qualys

by Devin Yang
(This article was automatically translated.)

Published - 8 years ago ( Updated - 8 years ago )

This article describes how to adjust the ssl settings of nginx so that the website can obtain an SSL report and get an A+ rating.
Here I am using letsencrypt free credentials.
As long as you use the Docker official nginx new version image preset by D-Laravel,
Should be able to achieve the same effect as mine.

The following is the SSL detection URL, which can be used to detect the SSL settings on your host:
https://www.ssllabs.com/ssltest/index.html

There are pictures and the truth, let’s take a look at my results first..:), it is very simple to set up on Nginx.
ssl a plus rating

The following is the complete ssl configuration file I use in D-Laravel , you can download it for reference and adjust it yourself:
Full configuration file : ccc-ssl.conf

It mainly includes the following settings:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/nginx/conf.d/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/privkey.pem;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL :!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/conf.d/ssl/dhp-512.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/conf.d/ssl/chain.pem;

Additionally, I generate a set of 512-bit diffie-hellman ( Diffie-Hellman key exchange ) parameters to improve the security of certain types of ciphers.
For example: (4096 will take a long time, you can use 2048 or I use 512.)

You can use the openssl command on the terminal to generate the file
openssl dhparam -out dhp-2048.pem 2048

Tags: nginx dlaravel

Devin Yang

Feel free to ask me, if you don't get it.:)

No Comment

Post your comment

Login is required to leave comments

dlaravel

Safe Update D-Laravel

How to upgrade the current D-Laravel. If your current use environment is very smooth and you have not encountered any problems, you don't need to update it. If you want to use the latest version, and bug fixes, etc., please read this article carefully, In order to ensure a smooth upgrade, the following is the recommended way to upgrade D-Laravel.

dlaravel

Use docker in docker to build a D-Laravel test environment.

D-Laravel is an extremely easy-to-use and extremely flexible Laravel development environment. As long as you are a Mac user, even if you don’t know Docker, you can use it to create Laravel projects and develop them. Due to the newly added .env function When it comes to functions, those who are in a hurry push, but there is no complete test, and a bunch of new bugs are created. Therefore, this time, a new dlaravel_test, a bash testing tool, is added to run the test through docker in docker. Make sure that every release of D-Laravel can be a stable version.

php,docker,dlaravel

A brief introduction to the phpenv container environment I built

I don't have time to shoot an introduction video, so I'll just grab some pictures and introduce the container environment deviny/phpenv I use. https://github.com/DevinY/phpenvphpenv can be regarded as an evolutionary version of my previous D-Laravel open source project, conceptually extending the use of many Dlaravel operation methods. The update of the container tends to be controlled by the user to build his own image, so I am not very good at changing the version number. In fact, the php version number of D-Laravel seems to have not been changed for a long time:p