How to configure HTTPS on nginx to get an SSL A+ score from Qualys

by Devin Yang
(This article was automatically translated.)

Published - 7 years ago ( Updated - 7 years ago )

This article describes how to adjust the ssl settings of nginx so that the website can obtain an SSL report and get an A+ rating.
Here I am using letsencrypt free credentials.
As long as you use the Docker official nginx new version image preset by D-Laravel,
Should be able to achieve the same effect as mine.

The following is the SSL detection URL, which can be used to detect the SSL settings on your host:
https://www.ssllabs.com/ssltest/index.html

There are pictures and the truth, let’s take a look at my results first..:), it is very simple to set up on Nginx.
ssl a plus rating

The following is the complete ssl configuration file I use in D-Laravel , you can download it for reference and adjust it yourself:
Full configuration file : ccc-ssl.conf

It mainly includes the following settings: 
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/nginx/conf.d/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/privkey.pem;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL :!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/conf.d/ssl/dhp-512.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/conf.d/ssl/chain.pem;
Additionally, I generate a set of 512-bit diffie-hellman ( Diffie-Hellman key exchange ) parameters to improve the security of certain types of ciphers.
For example: (4096 will take a long time, you can use 2048 or I use 512.)

You can use the openssl command on the terminal to generate the file
openssl dhparam -out dhp-2048.pem 2048

 

Tags: nginx dlaravel

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
dlaravel

D-Laravel's sublime plug-in can be installed by Package Control.

Mac or Linux users can now install the D-Laravel alias package from Sublime3's package control. Through D-Laravel alias, we can execute artisan and composer commands in the container in an easier way. In the docker environment, do you want to use composer to install the package? You don’t need to enter the container, or set the ce alias of composer, and you can execute it directly in sublime.

城堡
dlaravel

Use docker in docker to build a D-Laravel test environment.

D-Laravel is an extremely easy-to-use and extremely flexible Laravel development environment. As long as you are a Mac user, even if you don’t know Docker, you can use it to create Laravel projects and develop them. Due to the newly added .env function When it comes to functions, those who are in a hurry push, but there is no complete test, and a bunch of new bugs are created. Therefore, this time, a new dlaravel_test, a bash testing tool, is added to run the test through docker in docker. Make sure that every release of D-Laravel can be a stable version.

城堡
dlaravel,docker

D-Laravel learning three stages

Chat about the three stages of using D-Laravel, why use D-Laravel. Because the configuration files used by D-Laravel are quite simple, it is very suitable for beginners of Docker to learn, And users who do not know how to use Docker can also use the two commands ./console and ./create to create a project.