nginx and stronger SSL
After reading Jeff Moser’s excellent article on “The First Few Milliseconds of a HTTPS connection”, I thought I would share my setup for SSL for nginx.
By default, the ciphers used tend to be comparatively weak (for instance, you should disable SSLv2 if at all possible to meet PCI Compliance). For a list of recommended ciphersuites to use, check out this post.
You can test your current site configuration with Benjamin Black’s excellent TLS Report site. It will test a given site and assign a score based on a variety of parameters. For example, Amazon scores a D.
When I was looking at this last year, nginx did not have support for ephemeral keys but Igor Sysoev was able to quickly add this.
server {
# port to listen on. Can also be set to an IP:PORT
listen 443;
# Turn SSL on. Also disable weaker SSL schemes.
ssl on;
ssl_certificate /usr/nginx/conf/certs/dot.com.crt;
ssl_certificate_key /usr/nginx/conf/certs/dot.com.key;
ssl_dhparam /usr/nginx/conf/certs/dot.com.dh1024.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1;
ssl_session_cache shared:SSL:2m;
# Set the ciphers to use. You may have to fix formatting.
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:\
EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:\
AES128-SHA:RC4-SHA:RC4-MD5;
# ssl_ciphers HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:\
!ADH:!aNULL:!eNULL:!NULL;
# set keepalive for ssl connection
keepalive_timeout 70;
# Set the charset
charset utf-8;
# Set the max size for file uploads to 10Mb
client_max_body_size 10M;
# sets the domain[s] that this vhost server requests for
server_name dot.com;
# doc root
root /var/www/dot.com;
# vhost specific access log
access_log /var/log/nginx_access.log main;
}
