A+ SSLLabs with NGINX with HTTP/2 in January 2018


So, there isn’t a good post for this right now. I’ve spent a little time on this server rebuild looking at the options. I have some base assumptions

  • Only TLS 1.2 because all other protocols are considered weak at this time.
  • Maximum key strength possible – prefer 256 bit ciphers and fall back to 128 bit for software that doesn’t support that.
  • Support only the latest OS/Library implementations. That means old version of Java, Android, Windows, OpenSSL etc are not supported.
  • Support HTTP/2 You can see the result of my configuration here.
listen [::]:443 ssl http2 default_server;

ssl_protocols       TLSv1.2;
ssl_ecdh_curve      secp384r1;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 21h;
ssl_session_tickets off;
ssl_buffer_size 4k;
ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=31536000; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;

This will give you an A+ with 100% in everything except Cipher Strength. The reason for this is HTTP/2. If you decide you can live without HTTP/2, then remove ECDHE-RSA-AES128-GCM-SHA256 and you will get 100% across everything, but you’ll also break Java8 clients. Which you may not care about.

Letsencrypt certificates should be generated with --rsa-key-size 4096.

dhparam.pem should be generated with 4096 bits also.

Another year, another reboot

I seem to go through these every year or so. I don’t know why. I think I just like rebuilding servers.

Apologies for the awful theme. I try to find something that speaks to me but often all I find is trash.

I’m not a designer.

I kind of feel that WordPress has jumped the shark, but haven’t found anything better. I’ve considered writing something in Go but that seems like a well invented wheel.

edit: Wow, I really like this theme.