Claudio Borges

Hi Folks, in this post I’ll show you how to configure your SSL Virtual Host to get an A+ on SSL Labs.

SSL and security issues, in general, are complicated subjects and I won’t describe all SSL aspects, just a few configurations to have the perfect environment with NginX.

The pre-requisites to get an A+ on SSL Labs is to have OpenSSL 1.0 or later. It’s necessary because you need to use TLS 1.2 and your NginX package must be built with it. If you are running the latest version of Debian, Ubuntu or CentOS, you’re already using OpenSSL 1.0.

PS: If you want to use the latest NginX build (1.9.3) for CentOS or Debian, click here.

Continuing with the article, let’s talk about protocols. SSLv2 and SSLv3 are insecure protocols, as every System Administrator knows (or at least should know). SSLv2 doesn’t provide a sufficiently high level of security and it’s deprecated in RFC 6176. On the other hand, SSLv3 was killed by the POODLE attack and it’s deprecated in RFC 7568. Probably, these two arguments are enough for you disable both of them completely.

PS: Disabling SSLv2 and SSLv3 won’t let old browsers like IE6 running on Windows XP access your website, because they don’t support TLS.

Within your SSL virtual host, change the ssl_protocols line to enable the TLS protocols as follows:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

With ssl_protocols configured properly, you will configure the ssl_ciphers. The default ciphers suites used by default by the NginX installation (1.0.5 or later), are enough for an excellent compatibility and security:

ssl_ciphers "HIGH:!aNULL:!MD5";

Or if you want to use a custom line with better performance (it will reduce CPU usage) but with less compatibility:

ssl_ciphers "HIGH:!aNULL:!MD5:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-DES-CBC3-SHA:!DHE-RSA-CAMELLIA128-SHA";

PS: To see the complete ciphers suites list, click here.

For the configs above to work properly, I mean, for the server ciphers to be preferred over client ciphers, when using the TLS protocols, enable the following option:

ssl_prefer_server_ciphers on;

In addition, you need to configure a few extra steps. They aren’t related with security directly, but with HTTPS performance.

The ssl_session_cache will configure a cache shared between all worker processes. The cache size is specified in bytes and one megabyte can store about 4000 sessions. The ssl_session_timeout specifies a time during which a client may reuse the session parameters stored in cache. To minimize the TTFB (Time To First Byte), it’s beneficial to set a smaller value for ssl_buffer_size .

To configure them, add or modify the lines (if you already have them) as follows:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 4k;

It’s time to talk about certificates. Invalid certificates can cause the browser to display warning messages and stop talking with the website. Using a valid certificate is an essential step and sometimes, even using it, you can get warning messages because the certificate signature algorithm is SHA-1. To fix this problem, basically, you need to replace SHA-1 with SHA-2 certificates. To do that, you need to generate a new CSR and request the Certificate Authorities to sign a new certificate with SHA256. SSL Labs or this website can check if your website is using SHA-1.

PS: Don’t forget, you need to get the intermediate CA certificates signed with SHA256 as well.

With the new certificates (if you aren’t using them yet), sometimes it’s necessary to configure the ssl_verify_depth. It sets the verification depth in the client certificates chain.

ssl_verify_depth 3;

Diffie-Hellman is an asymmetric algorithm used by a lot of protocols, including IPSec, SSL, SSH, PGP and other PKI systems. It provides the capability for two communicating parties to agree upon a shared secret key between them. Also, it is an algorithm created to address the issue of secure encrypted keys from being attacked over the internet when in transmission.

The NginX relies on OpenSSL and uses the default Diffie-Hellman DHE key, which includes a 1024-bit key. The problem is, if you are using a Diffie-Hellman primes smaller than 1024-bit, your system is vulnerable to the Logjam Attack. To fix this problem, you need to generate a stronger DHE parameter. I recommend at least a 2048-bit key. The way to generate it is:

mkdir /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

And configure the NginX to use it:

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

HSTS (HTTP Strict Transport Security) is an IETF standards tracking protocol and it is specified in RFC 6797. It is a web security policy mechanism, which is necessary to protect secure HTTPS websites against downgrade attacks, and it greatly simplifies protection against cookie hijacking. Basically, it tells the browser that the website should only be accessed through a secure connection (SSL), instead of using HTTP.

If you access the HTTPS version of the site, the HSTS header will remember this option when trying to access the same site using HTTP and it will automatically switch to HTTPS, provided that the max-age parameter has not expired.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security”.

To configure HSTS, add the line below to your SSL Virtual Host as follows:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

The option above tells the web browser to always use SSL to access this website for the next 365 days. More information about HSTS, can be found here.

And now (finally) add the Mod SPDY. SPDY (pronounced speedy) isn’t a security protocol, but an open network protocol developed primarily at Google for transporting web content. It works over SSL/TLS and it manipulates HTTPS traffic with the particular goals of reducing web page load latency and improving web security. It’s the precursor of HTTP2.

PS: The NginX team plans to release new versions of both NginX and NginX Plus by the end of 2015 and they will include support for HTTP/2.

To verify if your NginX package has SPDY support enabled, try this:

# nginx -V 2>&1 | sed -e 's/_module /_module\n/g' | grep spdy

If the command above shows the output “–with-http_spdy_module”, your NginX is ok. If not, you need to install a NginX build with SPDY support. If you are running the latest versions of Debian, Ubuntu or CentOS, you already have SPDY support.

With the SPDY module enabled, let’s configure the SSL virtual host to use it. You just need to change your virtual host from:

listen 443 ssl;

to:

listen 443 ssl spdy;
spdy_headers_comp 3;
add_header Alternate-Protocol 443:npn-spdy/3;

and reload your NginX:

# /etc/init.d/nginx reload

Now with SPDY working correctly, modern browsers will get your site content over SPDY and old browsers will use normal SSL. If you want to check if your site is using SPDY, use the SPDYCheck.org. If you are using Google Chrome, there is an extension that checks if the website your are visiting has the SPDY protocol enabled.

Another good practice is to redirect all HTTP traffic through your SSL virtual host. I mean, accessing this website via HTTP will automatically redirect the user to access the website via SSL/TLS and SPDY. To do that, modify your HTTP virtual host as follows:

server {
    listen 80;
    server_name yodaime.claudioborges.org;
    return 301 https://$server_name$request_uri;

    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log notice;
}

My HTTPS virtual host is:

server {
    listen 443 ssl spdy;

    root /srv/default/www;
    index index.php index.html;

    spdy_headers_comp 3;
    add_header Alternate-Protocol 443:npn-spdy/3;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    server_name yodaime.claudioborges.org;

    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log notice;

    ssl on;
    ssl_certificate /etc/nginx/ssl/claudioborges_org.pem;
    ssl_certificate_key /etc/nginx/ssl/claudioborges_org.key;
    ssl_verify_depth 3;

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers "HIGH:!aNULL:!MD5";

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_buffer_size 4k;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_intercept_errors on;
    }

    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }
}

That is all for now folks. If you have any questions about this article, feel free to ask me.