How to configure HTTPS on nginx to get an SSL A+ score from Qualys

by Devin Yang
(This article was automatically translated.)

Published - 8 years ago ( Updated - 8 years ago )

This article describes how to adjust the ssl settings of nginx so that the website can obtain an SSL report and get an A+ rating.
Here I am using letsencrypt free credentials.
As long as you use the Docker official nginx new version image preset by D-Laravel,
Should be able to achieve the same effect as mine.

The following is the SSL detection URL, which can be used to detect the SSL settings on your host:
https://www.ssllabs.com/ssltest/index.html

There are pictures and the truth, let’s take a look at my results first..:), it is very simple to set up on Nginx.
ssl a plus rating

The following is the complete ssl configuration file I use in D-Laravel , you can download it for reference and adjust it yourself:
Full configuration file : ccc-ssl.conf

It mainly includes the following settings: 
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/nginx/conf.d/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/privkey.pem;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL :!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/conf.d/ssl/dhp-512.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/conf.d/ssl/chain.pem;
Additionally, I generate a set of 512-bit diffie-hellman ( Diffie-Hellman key exchange ) parameters to improve the security of certain types of ciphers.
For example: (4096 will take a long time, you can use 2048 or I use 512.)

You can use the openssl command on the terminal to generate the file
openssl dhparam -out dhp-2048.pem 2048

 

Tags: nginx dlaravel

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
dlaravel

How to automatically detect and update the certificate issued by let's encrypt through getssl

It's really great that let's encrypt provides free certificates. However, is it a bit troublesome to update the certificate every three months? This article introduces how to generate multi-domain SAN certificate settings through getssl, and schedule automatic certificate renewal. It's very simple, just six steps to get it done.

城堡
dlaravel

How to set the external network IP to the Project on D-Laravel?

This video introduces how we assign Public Ip (public IP) to a specific Project in the D-Laravel environment. Whether it is the setting of the external production environment or the demo of your own project on the intranet, you can refer to the setting method of this video. In the video, although I used the external network IP of PPPoE dial-up to illustrate, we can also use the local network IP on our own computer if we change it. In this way, colleagues can connect to our D-Laravel Project.

城堡
php,docker,dlaravel

A brief introduction to the phpenv container environment I built

I don't have time to shoot an introduction video, so I'll just grab some pictures and introduce the container environment deviny/phpenv I use. https://github.com/DevinY/phpenvphpenv can be regarded as an evolutionary version of my previous D-Laravel open source project, conceptually extending the use of many Dlaravel operation methods. The update of the container tends to be controlled by the user to build his own image, so I am not very good at changing the version number. In fact, the php version number of D-Laravel seems to have not been changed for a long time:p