Differences between revisions 1 and 5 (spanning 4 versions)
Revision 1 as of 2021-11-18 16:45:49
Size: 1688
Editor: DominicRicottone
Comment:
Revision 5 as of 2023-04-22 20:20:41
Size: 2014
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= NGINX = ## page was renamed from NGINX/SSL
= NGINX SSL =

`nginx(8)` has built-in support for encryption with [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] certificates.
Line 11: Line 14:
Encryption is handled at the server block level. The minimal configuration needed to use a certificate is:
Line 15: Line 20:
    ssl_certificate www.example.com.crt;
    ssl_certificate_key www.example.com.key;		     ssl_certificate /path/to/www.example.com.crt;
    ssl_certificate_key /path/to/www.example.com.key;
Line 23: Line 28:
By default, `nginx(8)` uses TLS v1.0-v1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (`aNULL`) or `MD5`. Best practice is to update these defaults with modern cryptography. By default, `nginx(8)` uses [[Encryption/TLS|TLS]] version 1.0 through 1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (`aNULL`) or `MD5`. Best practice is to update these defaults with modern cryptography.
Line 45: Line 50:
`nginx(8)` also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. `openssl(1)` defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After [[Encryption/OpenSSL#Diffie-Hellman_Parameters|generating a parameters file]], include the following directives: `nginx(8)` also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. [[Encryption/OpenSSL|OpenSSL]] defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After [[Encryption/OpenSSL#Diffie-Hellman_Parameters|generating a parameters file]], include the following directives:
Line 62: Line 67:
'''`certbot(1)`''' has an automated workflow for configuring `nginx(8)` with a Let's Encrypt SSL/TLS certificate. '''`certbot(1)`''' has an automated workflow for configuring `nginx(8)` with a Let's Encrypt certificate.

NGINX SSL

nginx(8) has built-in support for encryption with SSL/TLS certificates.

Contents

  1. NGINX SSL
    1. Configuration
      1. Hardening
    2. certbot

Configuration

Encryption is handled at the server block level. The minimal configuration needed to use a certificate is: 

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     /path/to/www.example.com.crt;
    ssl_certificate_key /path/to/www.example.com.key;
    ...
}

Hardening

By default, nginx(8) uses TLS version 1.0 through 1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (aNULL) or MD5. Best practice is to update these defaults with modern cryptography. 

server {
    ...
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers   ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ...
}

Also include the following directives to ensure that server configurations are enforced over client selection. 

server {
    ...
    ssl_prefer_server_ciphers on;
    ssl_session_cache         shared:SSL:10m;
    ...
}

nginx(8) also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. OpenSSL defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After generating a parameters file, include the following directives: 

server {
    ...
    ssl_dhparam    /path/to/certs/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ...
}

certbot

certbot(1) has an automated workflow for configuring nginx(8) with a Let's Encrypt certificate. 

certbot --nginx -d example.com

See here for more details.

CategoryRicottone

Nginx/Encryption (last edited 2023-04-22 20:42:46 by DominicRicottone)