0xReki's Adventures

🏷 Tags

🛈 About Me

⁉️ Q & A


💡 🔍+ 🔍−

nginx/SSL Configuration for the Slightly Paranoid People

published on 2016-06-24 written by 0xReki
nginx, OpenSSL, Paranoia, Configuration Files

I finally brought myself to move my SSL certificates to Let’s Encrypt and have their renewal automated. So I figured I should update my cipher settings as well. I believe this to be a nginx config suited for the only slightly paranoid people.

ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

ssl_ciphers kEECDH+aRSA+AESGCM:kEECDH+aRSA+SHA384:kEECDH+aRSA+SHA256:kEECDH+aRSA+AES+SHA:kEDH+aRSA+AESGCM:kEDH+aRSA+SHA384:kEDH+aRSA+SHA256:kEDH+aRSA+AES+SHA;

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/ssl/private/DH.pem;

add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Xss-Protection "1";

If Android and/or Safari clients weren’t an issue I’d simply use this cypher string:

ssl_ciphers kEECDH+aRSA+AESGCM:kEECDH+aRSA+SHA384:kEECDH+aRSA+SHA256;