User:Rascul.io/ssl

Here I will describe my SSL setup for https://rascul.io.

Basics
https://rascul.io runs on Nginx with a certificate from https://startssl.com. I have received high scores from SSL Labs which can be viewed at https://www.ssllabs.com/ssltest/analyze.html?d=rascul.io.

Nginx Configuration
Below is my SSL/HTTPS related configuration found in the http block of nginx.conf for https://rascul.io. More information about them might be found at http://nginx.org/en/docs/http/ngx_http_ssl_module.html.

http { # Prefer server ciphers over client ciphers, which hopefully will make use of    # the stronger ciphers I've selected over potentially weaker ciphers the # browser might specify. ssl_prefer_server_ciphers on; # This list of ciphers is the strongest available that I've been able to come # up with which support forward secrecy and are compatible with as many clients # as possible. ssl_ciphers kECDHe+AES:EECDH+AESGCM:EECDH+AES256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA; # SSLv3 is required in order to support Java6 with this configuration. # But we don't want SSL at all because of poodle. # All other clients should be using TLS. ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Share the session cache between all worker processes. ssl_session_cache shared:SSL:10m; # Sessions last for 10 minutes (default is five minutes). ssl_session_timeout 10m; # File containing DH Parameters, used for ECHDE ciphers. To create the file: # openssl dhparam -outform pem -out dhparam4096.pem 4096 ssl_dhparam /etc/ssl/dhparam4096.pem; }

Host Specific Configuration
This is the host specific configuration, I keep it in the file /etc/nginx/sites-available/rascul.io and it is symlinked to /etc/nginx/sites-enables/rascul.io. Only the SSL/HTTPS related directives are included here.

server { # Apply these directives to HTTP on port 80. Basically all I'm doing here is    # forcing the connection to HTTPS on port 443. listen 80; # rascul.io will never support a www subdomain. server_name rascul.io; # A 301 redirect to force https. return 301 https://$host$request_uri; } server { # Support connections with SSL and SPDY. listen 443 ssl spdy; # Once again, rascul.io will never support a www subdomain. server_name rascul.io; # Use HSTS to specify rascul.io should be connected to via HTTPS only. add_header Strict-Transport-Security "max-age=31536000"; # Announce SPDY support (check spdy at https://spdycheck.org) add_header Alternate-Protocol 443:npn-spdy/3,443:npn-spdy/2; # Compress SPDY headers spdy_headers_comp 6; # Enable SSL for this server. ssl on; # Certificate chain. The format is described in the nginx documentation: # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate ssl_certificate /etc/ssl/rascul.io/ssl-unified.crt; # Specify the private key for rascul.io. Remember to ensure permissions and # ownership of the private key are restrictive. ssl_certificate_key /etc/ssl/rascul.io/ssl.key; # Enable stapling of OSCP responses by the server. ssl_stapling on; # Verify OSCP responses. ssl_stapling_verify on; # Trusted CA certificates used for OSCP. Once again, refer to nginx docs: # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate ssl_trusted_certificate /etc/ssl/rascul.io/trustchain.crt; }