From IndieWeb
Jump to: navigation, search

Here I will describe my SSL setup for

Basics runs on Nginx with a certificate from I have received high scores from SSL Labs which can be viewed at


Nginx Configuration

Below is my SSL/HTTPS related configuration found in the http block of nginx.conf for More information about them might be found at

http {
    # Prefer server ciphers over client ciphers, which hopefully will make use of
    # the stronger ciphers I've selected over potentially weaker ciphers the
    # browser might specify.
    ssl_prefer_server_ciphers on;
    # This list of ciphers is the strongest available that I've been able to come
    # up with which support forward secrecy and are compatible with as many clients
    # as possible.
    # SSLv3 is required in order to support Java6 with this configuration.
    # But we don't want SSL at all because of poodle.
    # All other clients should be using TLS.
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    # Share the session cache between all worker processes.
    ssl_session_cache shared:SSL:10m;
    # Sessions last for 10 minutes (default is five minutes).
    ssl_session_timeout 10m;
    # File containing DH Parameters, used for ECHDE ciphers. To create the file: 
    # openssl dhparam -outform pem -out dhparam4096.pem 4096
    ssl_dhparam /etc/ssl/dhparam4096.pem;

Host Specific Configuration

This is the host specific configuration, I keep it in the file /etc/nginx/sites-available/ and it is symlinked to /etc/nginx/sites-enables/ Only the SSL/HTTPS related directives are included here.

server {
    # Apply these directives to HTTP on port 80. Basically all I'm doing here is
    # forcing the connection to HTTPS on port 443.
    listen 80;
    # will never support a www subdomain.
    # A 301 redirect to force https.
    return 301 https://$host$request_uri;   

server {
    # Support connections with SSL and SPDY.
    listen 443 ssl spdy;
    # Once again, will never support a www subdomain.
    # Use HSTS to specify should be connected to via HTTPS only.
    add_header Strict-Transport-Security "max-age=31536000";
    # Announce SPDY support (check spdy at
    add_header Alternate-Protocol 443:npn-spdy/3,443:npn-spdy/2;
    # Compress SPDY headers
    spdy_headers_comp 6;
    # Enable SSL for this server.
    ssl on;
    # Certificate chain. The format is described in the nginx documentation:
    ssl_certificate /etc/ssl/;
    # Specify the private key for Remember to ensure permissions and 
    # ownership of the private key are restrictive.
    ssl_certificate_key /etc/ssl/;
    # Enable stapling of OSCP responses by the server.
    ssl_stapling on;
    # Verify OSCP responses.
    ssl_stapling_verify on;
    # Trusted CA certificates used for OSCP. Once again, refer to nginx docs:
    ssl_trusted_certificate /etc/ssl/;