Sooooo Nginx and SSL configs

I use Nginx on my Linux servers mostly, but I noticed to get a reasonable rank out of out friends at [ssllabs.com/ssltest], you need to tweak a few things in the ol config files.

I am not going to go through the process of explaining how to get Nginx up and running as there are loads of good resources out there. Go on test your google-fu if you starting from scratch. You will need to have also gone over the basics from Let’s Encrypt

Ok so here goes …. you will see some references to Linux paths used by Let’s Encrypt.

Inside the Nginx server {} block we have the following settings to make that letter for SSL labs be a nice green color (maybe even an A+).

# the port your site will be served on
# 0.0.0.0 = all IPs on the server
listen      0.0.0.0:443  ssl;

# the domain name it will serve for
server_name REPLACE_ME_DOMAIN_NAME; # substitute your machine's IP address or FQDN

ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN_OR_SUB_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN_OR_SUB_DOMAIN/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;

# Tweak as needed
# Available protocols
ssl_protocols TLSv1.2;

# Available ciphers
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/YOUR_DOMAIN_OR_SUB_DOMAIN/chain.pem;

This is not a long explanation of each and every option, thats why there is documentation available and many much better written articles out there on those details.

I posted this here to simply give an example of a better than default config that helps secure your site a little more.