nginx and Let's Encrypt with strong SSL ciphers
Let's Encrypt
Let's Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
By default, certbot generates 2048 bit certificates, but 4096 bit should be preferred. This can be changed in the configuration:
- /etc/letsencrypt/cli.ini
# Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096
Then renew your certificate by requesting a new one for all your (sub)domains:
sudo certbot --nginx certonly -d quietlife.nl -d www.quietlife.nl -d wiki.quietlife.nl
And select 2: Renew & replace the cert (limit ~5 per 7 days)
.
SSL certificate renewal
Let's Encrypt certificates expire every three months, and certbot automatically renews them. After renewing the certificates, you have to reload nginx. This can be automated with a script you put in /etc/letsencrypt/renewal-hooks/post/
:
- /etc/letsencrypt/renewal-hooks/post/nginx.sh
#!/bin/sh systemctl reload nginx.service
Make it executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/nginx.sh
nginx
Diffie-Hellman Ephemeral Parameters
Diffie–Hellman key exchange (D–H) is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman.
Generate dhparams.pem
:
openssl dhparam -out dhparams.pem 4096 sudo mv dhparams.pem /etc/ssl/ sudo chown root:ssl-cert /etc/ssl/dhparams.pem sudo chmod 640 /etc/ssl/dhparams.pem
SSL cipher suite
Edit the global configuration file:
- /etc/nginx/nginx.conf
## # SSL Settings ## ssl_protocols TLSv1.3 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparams.pem; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp521r1:secp384r1; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on;
HTTP headers
Create a configuration file:
- /etc/nginx/conf.d/headers.conf
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY;
Restart nginx
sudo systemctl restart nginx.service