Nginx Encryption

nginx(8) has built-in support for encryption with SSL/TLS certificates.

Contents

  1. Nginx Encryption
    1. Configuration
      1. Hardening
    2. certbot

Configuration

Encryption is handled at the server block level. The minimal configuration needed to use a certificate is: 

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     /path/to/www.example.com.crt;
    ssl_certificate_key /path/to/www.example.com.key;
    ...
}

Hardening

By default, nginx(8) uses TLS version 1.0 through 1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (aNULL) or MD5. Best practice is to update these defaults with modern cryptography. 

server {
    ...
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers   ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ...
}

Also include the following directives to ensure that server configurations are enforced over client selection. 

server {
    ...
    ssl_prefer_server_ciphers on;
    ssl_session_cache         shared:SSL:10m;
    ...
}

nginx(8) also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. OpenSSL defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After generating a parameters file, include the following directives: 

server {
    ...
    ssl_dhparam    /path/to/certs/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ...
}

certbot

certbot(1) has an automated workflow for configuring nginx(8) with a Let's Encrypt certificate. 

certbot --nginx -d example.com

See here for more details.

CategoryRicottone

Nginx/Encryption (last edited 2023-04-22 20:42:46 by DominicRicottone)