|
⇤ ← Revision 1 as of 2021-11-18 16:45:49
Size: 1688
Comment:
|
Size: 1879
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = NGINX = | = NGINX SSL = `nginx(8)` has built-in support for encryption with SSL/TLS certificates. |
| Line 10: | Line 12: |
Encryption is handled at the server block level. The minimal configuration to use SSL/TLS certificates is: |
NGINX SSL
nginx(8) has built-in support for encryption with SSL/TLS certificates.
Contents
Configuration
Encryption is handled at the server block level. The minimal configuration to use SSL/TLS certificates is:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
...
}
Hardening
By default, nginx(8) uses TLS v1.0-v1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (aNULL) or MD5. Best practice is to update these defaults with modern cryptography.
server {
...
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
...
}Also include the following directives to ensure that server configurations are enforced over client selection.
server {
...
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
...
}nginx(8) also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. openssl(1) defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After generating a parameters file, include the following directives:
server {
...
ssl_dhparam /path/to/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
...
}
certbot
certbot(1) has an automated workflow for configuring nginx(8) with a Let's Encrypt SSL/TLS certificate.
certbot --nginx -d example.com
See here for more details.