by Devin Yang
(This article was automatically translated.)

Published - 7 years ago ( Updated - 7 years ago )

This article describes how to adjust the ssl settings of nginx so that the website can obtain an SSL report and get an A+ rating.
Here I am using letsencrypt free credentials.
As long as you use the Docker official nginx new version image preset by D-Laravel,
Should be able to achieve the same effect as mine.

The following is the SSL detection URL, which can be used to detect the SSL settings on your host:
https://www.ssllabs.com/ssltest/index.html

There are pictures and the truth, let’s take a look at my results first..:), it is very simple to set up on Nginx.
ssl a plus rating

The following is the complete ssl configuration file I use in D-Laravel , you can download it for reference and adjust it yourself:
Full configuration file : ccc-ssl.conf

It mainly includes the following settings:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/nginx/conf.d/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/privkey.pem;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL :!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/conf.d/ssl/dhp-512.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/conf.d/ssl/chain.pem;

Additionally, I generate a set of 512-bit diffie-hellman ( Diffie-Hellman key exchange ) parameters to improve the security of certain types of ciphers.
For example: (4096 will take a long time, you can use 2048 or I use 512.)

You can use the openssl command on the terminal to generate the file
openssl dhparam -out dhp-2048.pem 2048

 

Tags: nginx dlaravel

Devin Yang

Feel free to ask me, if you don't get it.:)

No Comment

Post your comment

Login is required to leave comments

Similar Stories


dlaravel

How to automatically detect and update the certificate issued by let's encrypt through getssl

It's really great that let's encrypt provides free certificates. However, is it a bit troublesome to update the certificate every three months? This article introduces how to generate multi-domain SAN certificate settings through getssl, and schedule automatic certificate renewal. It's very simple, just six steps to get it done.

dlaravel

Use D-Laravel to build your own dedicated php fpm image.

D-Laravel has provided a built php image, if you need to adjust it yourself and build your own dedicated image is quite simple. 1. First, enter dockerfiles/fpm in D-Laravel, and select the PHP version you want to build, such as 7.2. The command is as follows...

dlaravel

D-Laravel v1.5.0 is a new version.

1. Change the image generation method of fpm, optimize dockerfiles/fpm/php7.x/Dockerfiles, and make it easier to set and adjust extension packages. 2. Adjust docker-compose-build.yml, and in the Project directory of D-Laravel, You can quickly build your own image through ./console build. And many more changes....