Nginx Config Snipet to Give You A+ on SSLLabs

This is what I currently use in nginx,  it gives me an A+ on http://ssllabs.com hat tip to kyhwana who linked me to his config. It doesn’t support IE on XP, but I don’t care. https://www.ssllabs.com/ssltest/analyze.html?d=blog.chesterton.id.au Here’s some docs for nginx https.

        listen   443 ssl 

        ssl                  on;
        ssl_certificate ssl.crt;
        ssl_certificate_key ssl.key;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        keepalive_timeout   300;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_stapling on;
        ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
        add_header Strict-Transport-Security max-age=31536000;
        add_header X-Frame-Options DENY;

I added DHE-RSA-AES256-SHA to the ssl_ciphers so older versions of openssl would work, as a planet I’m on couldn’t connect to my feed.

I think one problem with specifying ciphers like I did above is that over the months/years, it’s going to rot, new more secure ciphers will come along, and they won’t be included until you edit the config. Or worse, some flaws might be found in the ciphers specified, and they won’t be removed. Specifying:

    ssl_ciphers         HIGH:!aNULL:!MD5:!3DES;

Is a little weaker today, but you can set and forget, and use the same config file with newer openssl libraries and nginx software, and benefit from any changes automatically.