How to configure HTTPS on nginx to get an SSL A+ score from Qualys

by Devin Yang
(This article was automatically translated.)

Published - 7 years ago ( Updated - 7 years ago )

This article describes how to adjust the ssl settings of nginx so that the website can obtain an SSL report and get an A+ rating.
Here I am using letsencrypt free credentials.
As long as you use the Docker official nginx new version image preset by D-Laravel,
Should be able to achieve the same effect as mine.

The following is the SSL detection URL, which can be used to detect the SSL settings on your host:
https://www.ssllabs.com/ssltest/index.html

There are pictures and the truth, let’s take a look at my results first..:), it is very simple to set up on Nginx.
ssl a plus rating

The following is the complete ssl configuration file I use in D-Laravel , you can download it for reference and adjust it yourself:
Full configuration file : ccc-ssl.conf

It mainly includes the following settings: 
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/nginx/conf.d/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/privkey.pem;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL :!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/conf.d/ssl/dhp-512.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/conf.d/ssl/chain.pem;
Additionally, I generate a set of 512-bit diffie-hellman ( Diffie-Hellman key exchange ) parameters to improve the security of certain types of ciphers.
For example: (4096 will take a long time, you can use 2048 or I use 512.)

You can use the openssl command on the terminal to generate the file
openssl dhparam -out dhp-2048.pem 2048

 

Tags: nginx dlaravel

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
dlaravel

Use docker in docker to build a D-Laravel test environment.

D-Laravel is an extremely easy-to-use and extremely flexible Laravel development environment. As long as you are a Mac user, even if you don’t know Docker, you can use it to create Laravel projects and develop them. Due to the newly added .env function When it comes to functions, those who are in a hurry push, but there is no complete test, and a bunch of new bugs are created. Therefore, this time, a new dlaravel_test, a bash testing tool, is added to run the test through docker in docker. Make sure that every release of D-Laravel can be a stable version.

城堡
dlaravel,docker

D-Laravel learning three stages

Chat about the three stages of using D-Laravel, why use D-Laravel. Because the configuration files used by D-Laravel are quite simple, it is very suitable for beginners of Docker to learn, And users who do not know how to use Docker can also use the two commands ./console and ./create to create a project.

城堡
dlaravel

How to start supervisor on D-Laravel

Since queue workers are a long-running program, we need a program manager supervisor to monitor whether the process on the Linux system is running continuously. For example, when the queue:work operation fails, the queue:work process can be automatically restarted. Fortunately, D-Laravel has a built-in supervisor, so you don't need to install it yourself to use it. This article briefly introduces how we start the supervisor in the container.