When setting up nginx to use HTTPS we checked the site with the SSL Server Test of Qualys.
The result page showed several hints to improve security.

SSL Configuration


Key Exchange / DHE (Ephemeral Diffie-Hellman) parameters

The default nginx configuration will use a key that is too weak. To generate and use a stronger key, first generate a stronger DHE parameter:

    sudo openssl dhparam -out /etc/ssl/private/dhparams.pem 2048

This will create a new file dhparams.pem in /etc/ssl/private/, containing the new key.
The key file can be reference in the nginx configuration with the ssl_dhparam configuration parameter.

Common SSL Configuration for all virtual hosts

Usually the SSL configuration is done within every server block/virtual host configuration block.
If you’re having more than one server/virtual host you would have to do it for every server. As software developers we do not like repetitions (don’t repeat yourself…).
The include files save us from configuring SSL multiple times.
We are using (at least) two include files for SSL configuration:

  • an include file for the generic SSL settings like SSL protocols, used ciphers, etc.
  • one include file for every used SSL certicate

The following steps assumes that the ssl certificate files are prepared and in the directory /usr/local/nginx/conf/current/.

  • Change into the nginx directory:
    cd /etc/nginx/
  • Create a new sub-directory `defaultsslconf`:
    sudo mkdir -p defaultsslconf/
  • Paste the following content into the a new file defaultssl.conf:
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/private/dhparams.pem;
  • Create a new file for every SSL certificate you are using, e.g. for the SSL certificate “example.com” create a new file example.ssl.conf with the following content:
    ssl_certificate      /usr/local/nginx/conf/current/example.com.bundle.crt;
    ssl_certificate_key  /usr/local/nginx/conf/current/example.com.key;
  • When defining a new server/virtual host reference the include files:
    server {
        listen 443 ssl;
        server_name example.com;
        include defaultsslconf/defaultssl.conf;
        include defaultsslconf/example.ssl.conf;
  • Restart nginx:
        sudo service nginx restart

With this configuration setup a change in the SSL configuration has only to be done once for all virtual hosts.

Hide server and version

Create a new file disableservertokens.conf in /etc/nginx/conf.d with the following content:

    server_tokens off;

This will disable emitting nginx version in error messages and in the “Server” response header field and thus “hide” which server you are using.
More information on nginx and ssl security: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html