March 28, 2015 · Nginx Qualys

Getting an A+ on SSL Labs using LEMP

When it comes to securing a website in transit encryption is an important part. Secure Socket Layers or SSL is the technology that enables this. If Ivan Ristic was here the first thing he would do is correct me and say TLS. Transport Layer Security (TLS) is the modern iteration of SSL. Although most people think of TLS in the context of e-mail its actually used all over the web. This guide explains how to get a A+ score on SSL Labs when using Nginx based stack.

SSL Labs result

Assumptions (My Setup)

  • I wrote this guide on Ubuntu 14.04 LTS and Nginx 1.6.2
  • I also assume you have a a basic SSL setup in place already
  1. Open the nginx server configuration you want to edit in this example:


  1. Add the following code block

add_header Strict-Transport-Security "max-age=31536000;";

ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_session_cache shared:SSL:10m;

ssl_stapling on;

ssl_stapling_verify on;

resolver valid=300s;

resolver_timeout 10s;

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/ssl/dp.pem;

add_header Strict-Transport-Security max-age=63072000;

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

In summary this code configures nginx and openSSL to good practice. It disables SSLv2 and SSLv3 it also ensures stapling is used to verify the certificates.

  1. In the code above ssl_dhparam /etc/ssl/dp.pem; is in bold. This is because we need to generate the certiciate. To do this enter the following:

openssl dhparam -out /etc/ssl/dp.pem 4096

This may take a long time however (mine took about 5 minutes).

  1. Finally restart nginx with the following:

sudo service nginx restart

Head over to Qualys SSL Labs Website to test your server at You should get an A+ score like on mine.

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket
Comments powered by Disqus