SSL + nginx = A+
If you want to use the same IP for few sites, you need SNI support by target browsers (some legacy browser have not it).
For HTTP2 modern browser use ALPN instead NPN, so check what you have installed OpenSSL with version 1.0.2+ to have ALPN!
I assume you have certificates, for example, I write how to obtain it in previous post.
Yes you can think this is yet another SSL configuration for nginx, so this is my result after longspun research:
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE:+AES256:-3DES:RSA+AES:!NULL:!RC4';
add_header Strict-Transport-Security "max-age=15768000";
...
}
Some notes about this configuration:
- you should set
ssl_trusted_certificate
to enablessl_stapling
- as
resolver
you can use your local DNS like dnsmasq ssl_session_tickets
should beoff
for all server configurations otherwise you can get strage error in some browser, so it’s better to set it inhttp {}
Strict-Transport-Security
header should have age more than six months, which one add+
to your grade- for
ssl_ciphers
I use ECDHE ciphers instead DHE, so no need to setssl_dhparam
and generate dhparam.pem with 2048 bits
As result I get ‘A+’ by SSL Server Test from SSL Labs.
P.S. You can check configuration generator for different web servers with recommendations from Mozilla.