Configure nginx for PFS and ssllabs.com A Rating

By | 2013/07/16

Here is a quick configuration for nginx to achieve an ‘A’ score on ssllabs.com. This example is from Debian Wheezy using OpenSSL 1.0.1e and nginx 1.2.1 and also enables Perfect Forward Secrecy as added security against the NSA or other snooping!


server
{
   listen      443;
…
 ssl on;
 ssl_certificate /etc/ssl/example.com.crt;
 ssl_certificate_key /etc/ssl/example.com.key;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
 ssl_session_cache shared:SSL:10m;

 add_header Strict-Transport-Security max-age=43200;
…

}


ssllabs_nginx

If you are stuck with Apache 2.2, one option is to put nginx in front of Apache to achieve PFS since nginx and OpenSSL support is better at this point than Apache.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.