10to7-ITDog-Handbook

Be a pro, man!

Get 100% score on SSLLabs with NGINX and Let's-Encrypt

SSL Labs is a collection of documents, tools and thoughts related to SSL. It's an attempt to better understand how SSL is deployed, and an attempt to make it better. I hope that, in time, SSL Labs will grow into a forum where SSL will be discussed and improved.

SSL Labs is a non-commercial research effort, and we welcome participation from any individual and organization interested in SSL.

-- Ivan Ristić, Qualys

You may test your website now, to see the current score:
https://www.ssllabs.com

If you can get an A, it is good enough.
But if you are a perfectionist, you may want to read the points below.

Request 4096-bit key from Let's-Encrypt

Add this parameter with certbot

--rsa-key-size 4096

Use only TLS v1.2

In /etc/nginx/nginx.conf

ssl_protocols TLSv1.2;

Use safe cipher

ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

Use 4096-bit DH-Parameters

Generate DH-Parameters on your server

sudo openssl dhparam 4096 -out /etc/nginx/cert/dhparam.pem

In /etc/nginx/nginx.conf

ssl_dhparam /etc/nginx/cert/dhparam.pem;

Use HTTP Strict Transport Security

In /etc/nginx/nginx.conf

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Sample nginx.conf (partial)

http {
    ##
    # SSL Settings
    ##

    ssl on;
    ssl_certificate /etc/letsencrypt/live/y2kbug.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/y2kbug.xyz/privkey.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:TLS:2m;
    ssl_session_timeout 5m;
    ssl_buffer_size 4k;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/cert/dhparam.pem;

    server_tokens off;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

And it's time to test again now
Please do remember to restart NGINX!
https://www.ssllabs.com