|
Size: 1897
Comment:
|
Size: 1978
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| `nginx(8)` has built-in support for encryption with SSL/TLS certificates. | `nginx(8)` has built-in support for encryption with [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] certificates. |
| Line 13: | Line 13: |
| Encryption is handled at the server block level. The minimal configuration to use SSL/TLS certificates is: | Encryption is handled at the server block level. The minimal configuration needed to use a certificate is: |
| Line 27: | Line 27: |
| By default, `nginx(8)` uses TLS v1.0-v1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (`aNULL`) or `MD5`. Best practice is to update these defaults with modern cryptography. | By default, `nginx(8)` uses [[Encryption/TLS|TLS]] version 1.0 through 1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (`aNULL`) or `MD5`. Best practice is to update these defaults with modern cryptography. |
| Line 49: | Line 49: |
| `nginx(8)` also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. `openssl(1)` defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After [[Encryption/OpenSSL#Diffie-Hellman_Parameters|generating a parameters file]], include the following directives: | `nginx(8)` also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. [[Encryption/OpenSSL|OpenSSL]] defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After [[Encryption/OpenSSL#Diffie-Hellman_Parameters|generating a parameters file]], include the following directives: |
| Line 66: | Line 66: |
| '''`certbot(1)`''' has an automated workflow for configuring `nginx(8)` with a Let's Encrypt SSL/TLS certificate. | '''`certbot(1)`''' has an automated workflow for configuring `nginx(8)` with a Let's Encrypt certificate. |
NGINX SSL
nginx(8) has built-in support for encryption with SSL/TLS certificates.
Contents
Configuration
Encryption is handled at the server block level. The minimal configuration needed to use a certificate is:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /path/to/www.example.com.crt;
ssl_certificate_key /path/to/www.example.com.key;
...
}
Hardening
By default, nginx(8) uses TLS version 1.0 through 1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (aNULL) or MD5. Best practice is to update these defaults with modern cryptography.
server {
...
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
...
}Also include the following directives to ensure that server configurations are enforced over client selection.
server {
...
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
...
}nginx(8) also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. OpenSSL defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After generating a parameters file, include the following directives:
server {
...
ssl_dhparam /path/to/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
...
}
certbot
certbot(1) has an automated workflow for configuring nginx(8) with a Let's Encrypt certificate.
certbot --nginx -d example.com
See here for more details.