Join the community today
Become a Member

SSL SSL .conf Configuration

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by BamaStangGuy, Feb 20, 2015.

Tags:
  1. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:25 PM
    This is one of the first sites I have setup using SSL and I want to make sure that it is configured as optimally as possible. Here are my current SSL settings:

    Code:
            ssl_certificate      /usr/local/nginx/conf/ssl/aspiescentralcom/ssl-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/aspiescentralcom/www_aspiescentral_com.key;
            #cloudflare
            ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers     EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
            ssl_session_cache      shared:SSL:30m;
            ssl_session_timeout  12h;
            ssl_prefer_server_ciphers   on;
            add_header Alternate-Protocol  443:npn-spdy/3;
            add_header Strict-Transport-Security "max-age=31536000";
            #add_header  X-Content-Type-Options "nosniff";
            #add_header X-Frame-Options DENY;
            # nginx 1.5.9+ or higher
            # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp
            # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
            spdy_headers_comp 5;
            ssl_buffer_size 4k;
            ssl_session_tickets on;
    
            # enable ocsp stapling
            resolver 8.8.8.8;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/aspiescentralcom/ssl-trusted.crt;
    Notice anything that can be improved? SSL Ciphers ok?

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:25 PM
  4. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I see.. English language can be confusing at times heh
     
  5. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    5:55 AM
    may I know where can I get and basis of the values below?

    Code:
    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers     EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
    thanks
     
  6. Jemekite

    Jemekite New Member

    12
    5
    3
    Jun 10, 2015
    Indonesia
    Ratings:
    +9
    Local Time:
    7:25 AM
    1.9.2
    MariaDB 10
    I'm using cloudflre ssl cipher here:
    sslconfig/conf at master · cloudflare/sslconfig · GitHub
    Code:
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers   on;
    Just remove EECDH+CHACHA20 from list if you're using openssl version of nginx
     
  7. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    5:55 AM
    I'm trying to use StarSSL, what would be the ssl_ciphers & ssl_protocols?
     
  8. Jemekite

    Jemekite New Member

    12
    5
    3
    Jun 10, 2015
    Indonesia
    Ratings:
    +9
    Local Time:
    7:25 AM
    1.9.2
    MariaDB 10
    you mean LibreSSL? here's my current cipherlist:

    Code:
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    
    My complete ssl conf for wp blog:
    Code:
    map $scheme $hsts_header {
        https   max-age=31536000;
    }
    server {
        listen 443 ssl spdy;
        server_name mydomain.com www.mydomain.com;
        access_log /home/nginx/domains/mydomain.com/log/ssl.access.log combined buffer=256k flush=60m;
        error_log /home/nginx/domains/mydomain.com/log/ssl.error.log;
        root /home/nginx/domains/mydomain.com/public;
        keepalive_timeout  30;
    
        ssl on;
        ssl_certificate_key /etc/ssl/certs/mydomain_com.key;
        ssl_certificate /etc/ssl/certs/mydomain_com.crt;
        ssl_trusted_certificate /etc/ssl/certs/PositiveSSL.ca-bundle;
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
    
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.8.8 valid=300s;
        resolver_timeout 10s;
    
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparams.pem;
    
        add_header Strict-Transport-Security $hsts_header;
    
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    location / {
    
    # block common exploits, sql injections etc
    include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files        $uri $uri/ /index.php;
      try_files $uri $uri/ /index.php?$args;
     
      include /usr/local/nginx/conf/wpsecure.conf;
      include /usr/local/nginx/conf/wpnocache.conf;
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
  9. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    5:55 AM
    thanks @Jemekite

    anyone here using StartSSL? Please advise how is ssl_ciphers generated?
     
  10. Jemekite

    Jemekite New Member

    12
    5
    3
    Jun 10, 2015
    Indonesia
    Ratings:
    +9
    Local Time:
    7:25 AM
    1.9.2
    MariaDB 10
  11. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    5:55 AM
  12. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    SSL ciphers recommended are ones listed at Nginx HTTPS / SSL Google SPDY configuration which is also ones listed at Security/Server Side TLS - MozillaWiki for modern compatibility.

    @Jemekite's SSL ciphers also work and the chacha20 ones are added if you're using Centmin Mod .08 beta03 which now uses LibreSSL and supports chacha20. OpenSSL on .07 stable doesn't support chacha20 ciphers
    first 3 ciphers on ssl_ciphers list for chacha20 - i personally don't use the 3rd one listed EECDH+CHACHA20 but might try myself
    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+CHACHA20
     
  13. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    5:55 AM
    @eva2000 thanks, now i know a bit on ciphers. I've read some post that you talk about StartSSL, do I need to decrypt the ssl.key before I upload it to my server?
     
  14. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    StartSSL certificates was mentioned at Nginx HTTPS / SSL Google SPDY configuration nothing about decrypting ssl.key though. Just need to upload the created CSR and private key method 2 mentioned in link if you created online