Due to HeartBleed and the fact I own more domains now, I have gone and generated new certs. In that process, I decided to make my sites even more secure than it used to be. In this post, I will let you know my configuration for Nginx, how I generated certificates, and what Certificate Authority (CA) I have chosen for SSL.
I will start with the CA. I choose StartSSL because they are cheap (I’ll be paying like $2000 a year with other providers), and because they allow unlimited certificate signing. If you just have one site, you can get away with their free option with the limitation that you can’t sell things. If you have multiple domains, you would probably want to go with their validation process to become a Class 2 validated user. I went with personal because this is just for my personal sites, but if I were to have a company they would require for you to spend an extra $60 to get validated for your business as well. Once you’re a class 2 user, you can revoke certs for free and you can generated a cert with unlimited domains/subdomains/wildcards. This is in my opinion the best solution out there.
As for generating a certificate, I highly recommend you use your own computer and you use 2048 bits or higher (I used 2048 bits because it’s better for mobile clients). To generate the best certificate with sha256 as the hash algorithm for a signature, use the following:
openssl req -out server.csr -new -newkey rsa:2048 -sha256 -nodes -keyout server.key
After you have created a certificate, and got the public key signed (note your not sending your private key to StartCom), you should also generate a Diffie-Hellman parameter file:
openssl dhparam -out dh4096.pem -5 4096
And finally for the Nginx config, simply change paths to be correct and you should be secure. Comments notes as to what certain things are.
ssl_certificate /server.ca.pem;#Certificate with CA’s certificate appended
ssl_certificate_key /server.key;#Certificate and key generated with: openssl req -out server.csr -new -newkey rsa:2048 -sha256 -nodes -keyout server.key
ssl_dhparam /dh4096.pem;#Generated using: openssl dhparam -out dh4096.pem -5 4096
ssl_trusted_certificate /sub.class2.server.ca.pem;#Your SSL provider’s certificate with OCSP.
resolver 18.104.22.168 22.214.171.124 valid=300s;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;#Disabled for security reasons: SSLv3 SSLv2
ssl_ciphers “ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”;
add_header Strict-Transport-Security “max-age=31536000”;#Tells browser to only allow SSL on this site for 1 year. Add “; includeSubdomains;” if you wan to include subdomains.
add_header X-Frame-Options SAMEORIGIN;#Blocks other servers from using frames to act as our site.
Finally, you should test you site with SSL Labs like how I did:
They are a group of people who basically researches SSL and have a test to make sure your site is using the best configuration.
Hope this is useful to some people.