= Nginx Encryption = '''`nginx(8)`''' has built-in support for '''encryption''' with [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] certificates. <> ---- == Configuration == Encryption is handled at the server block level. The minimal configuration needed to use a certificate is: {{{ server { listen 443 ssl; server_name www.example.com; ssl_certificate /path/to/www.example.com.crt; ssl_certificate_key /path/to/www.example.com.key; ... } }}} === Hardening === By default, `nginx(8)` uses [[Encryption/TLS|TLS]] version 1.0 through 1.2 and nearly any cipher suite apart from unauthenticated Diffie-Hellman (`aNULL`) or `MD5`. Best practice is to update these defaults with modern cryptography. {{{ server { ... ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ... } }}} Also include the following directives to ensure that server configurations are enforced over client selection. {{{ server { ... ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ... } }}} `nginx(8)` also defers the selection of parameters for Diffie-Hellman key exchanges to the linked SSL library. [[Encryption/OpenSSL|OpenSSL]] defaults to 1024-bit keys while the modern standard is to use 2048-bit at least. After [[Encryption/OpenSSL#Diffie-Hellman_Parameters|generating a parameters file]], include the following directives: {{{ server { ... ssl_dhparam /path/to/certs/dhparam.pem; ssl_ecdh_curve secp384r1; ... } }}} ---- == certbot == '''`certbot(1)`''' has an automated workflow for configuring `nginx(8)` with a Let's Encrypt certificate. {{{ certbot --nginx -d example.com }}} See [[Encryption/Certbot|here]] for more details. ---- CategoryRicottone