Getting an A+ on SSL Labs using LEMP
When it comes to securing a website in transit encryption is an important part. Secure Socket Layers or SSL is the technology that enables this. If Ivan Ristic was here the first thing he would do is correct me and say TLS. Transport Layer Security (TLS) is the modern iteration of SSL. Although most people think of TLS in the context of e-mail its actually used all over the web. This guide explains how to get a A+ score on SSL Labs when using Nginx based stack.
Assumptions (My Setup)
- I wrote this guide on Ubuntu 14.04 LTS and Nginx 1.6.2
- I also assume you have a a basic SSL setup in place already
- Open the nginx server configuration you want to edit in this example:
- Add the following code block
add_header Strict-Transport-Security "max-age=31536000;";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
resolver 22.214.171.124 126.96.36.199 valid=300s;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
In summary this code configures nginx and openSSL to good practice. It disables SSLv2 and SSLv3 it also ensures stapling is used to verify the certificates.
- In the code above
ssl_dhparam /etc/ssl/dp.pem;is in bold. This is because we need to generate the certiciate. To do this enter the following:
openssl dhparam -out /etc/ssl/dp.pem 4096
This may take a long time however (mine took about 5 minutes).
- Finally restart nginx with the following:
sudo service nginx restart
Head over to Qualys SSL Labs Website to test your server at ssllabs.com. You should get an A+ score like on mine.