You can help support this website by buying me a coffee!
3 minutes reading time
(610 words)
Get an SSL Labs A+ Rating for your Nginx Website
How to get an SSL Labs A+ rating for your Nginx website on Debian 11
The SSL Labs report shows that OCSP stapling is not enabled, and TLS 1.0 and 1.1 protocols are available, which means our website gets a B rating.
In the following steps, we'll make some changes to improve SSL security on Nginx to get an A+ rating.Qualys SSL Labs
https://www.ssllabs.com
Backup Nginx configuration files
Make a backup copy of your Nginx configuration files before making any changes.
Main Nginx config filecp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.26092022.bak
Website config filecp /etc/nginx/sites-available/ctrlf.cloud.conf /etc/nginx/sites-available/ctrlf.cloud.conf.26092022.bak
Nginx SSL settings for an A+ rating
Edit the main Nginx configuration file and make the following changesnano /etc/nginx/nginx.conf
| ssl_session_timeout 1d | Set ssl_session_timeout to 1 day. This improves performance by reusing cached sessions, which reduces the number of SSL handshakes |
| ssl_session_cache shared:SSL:1m | Share SSL session cache among all Nginx worker processes. This speeds up connections because the connection setup information is already cached. 1 MB shared cache can hold approximately 4,000 sessions. |
| ssl_session_tickets off | Turn off SSL session tickets. Session tickets are used to store session information on the client side. Session tickets are an alternative to session cache. |
| ssl_protocols TLSv1.2 TLSv1.3 | Allow connections using TLS 1.2 and TLS 1.3 |
| ssl_ciphers | Allow the specified SSL ciphers |
| ssl_prefer_server_ciphers off | Turn off preferred server ciphers. Allow the client to choose the encryption method. ssl_prefer_server_ciphers on is not needed because we are not allowing old protocols (TLS 1.0, TLS 1.1) with weak SSL ciphers. |
| ssl_stapling on | Use OCSP stapling to check if SSL certificates have been revoked. For SSL certificate verification to work, the root certificate and all intermediate certificates need to be configured using the ssl_trusted_certificate directive in the website Nginx config. |
| ssl_stapling_verify on | Enable OCSP responses using stapling. Stapling is a time-stamped OCSP response signed by the Certificate Authority. The certificate holder queries the OCSP server at regular intervals and gets a signed, time-stamped response. Stapling eliminates the need for clients to contact the CA. |
| resolver 1.1.1.1 1.0.0.1 | Use Cloudflare OCSP DNS resolvers. |
Example nginx.conf SSL settings
# SSL Settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Cloudflare OCSP DNS resolvers
resolver 1.1.1.1 1.0.0.1;
Enable HTTP Strict Transport Security (HSTS)
Edit website configuration file and enable OCSP stapling
nano /etc/nginx/sites-available/yourdomain.confadd_header Strict-Transport-Security "max-age=63072000" always;
Enabling HSTS means that your website can only be accessed using HTTPS. Web browsers will upgrade all connections to HTTPS
max-age=31536000. The domain must be accessed using HTTPS for one year
The path to all three certificate files needs to be included in the website conf file.
fullchain.pem, privkey.pem, chain.pem
fullchain.pem, privkey.pem, chain.pem
Example Website configuration SSL settings
# https server block
server {
listen 443 ssl http2;
server_name yourdomain.com;
root /var/www/yourdomain.com/html;
index index.html index.php;
# ssl certificates
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
# Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000" always;
}
Test config and reload Nginx
# Test Nginx config nginx -t # Reload Nginx service nginx reload
Nginx website now has an SSL Labs A+ rating
Comments