manuals:servers:nginx

nginx and Let's Encrypt with strong SSL ciphers

nginx and Let's Encrypt with strong SSL ciphers

Let's Encrypt

Let's Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

SSL certificate renewal

Let's Encrypt certificates expire every three months, and certbot automatically renews them. After renewing the certificates, you have to reload nginx. This can be automated with a script you put in /etc/letsencrypt/renewal-hooks/post/:

/etc/letsencrypt/renewal-hooks/post/nginx.sh

#!/bin/sh
systemctl reload nginx.service

Make it executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/nginx.sh

nginx

SSL cipher suite

Edit the global configuration file:

/etc/nginx/nginx.conf

##
# SSL Settings
##
 
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;

HTTP headers

Create a configuration file:

/etc/nginx/conf.d/headers.conf

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;

Restart nginx

sudo systemctl restart nginx.service

Table of Contents