quick notes on hardening nginx ssl

The ssl test is a useful tool for determining the strength of your server's ssl configuration. Here is my result. There are a few simple steps you can take with nginx to get a higher score. first, the highlights from my nginx.conf:

gist

• enable a ssl session cache
• only use recent protocols
• only use high-strength ciphers
• prefer ciphers that allow for perfect forward secrecy
• use HSTS

I've removed a lot from the standard nginx ssl deployment: sslv2/sslv3 support and weak ciphers. If your audience is mostly using modern browsers, none of these changes will impact them.

I also provide a chained cert. A chained cert includes the authority's intermediate information in your site cert so it does not have to be fetched.

For nginx, you create a chained cert as

cat your_cert.crt authority_cert.crt > your_bundle_cert.crt

and then use your_bundle_cert.crt as your site cert.

These changes should get you an "A" score on the test.

last update 2013-06-25