Nginx: Unterschied zwischen den Versionen

Version vom 9. Mai 2014, 09:24 Uhr

some nginx hints

Inhaltsverzeichnis

1 SSL stuff

SSL stuff

hardening SSL

post snowden ssl-hardening:

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

PFS

cd /path/to/your/certs/
openssl dhparam -out dhparam.pem 2048

and edit nginx config:

ssl_dhparam /path/to/your/certs/dhparam.pem;

HSTS

HTTP Strict Transport Security.
if possible run https ONLY pages...
in post-snowden age this should be done... so add to your port-80-vhost:

server {
   [...]
   add_header Strict-Transport-Security max-age=15768000;
   return 301 https://www.traumartig.de$request_uri;
   [...]
}

SSL test

test you ssl-implementation here:

@@ Zeile 2: / Zeile 2: @@
-== hardening SSL ==
+== SSL stuff ==
+=== hardening SSL ===
 post snowden ssl-hardening:
@@ Zeile 11: / Zeile 14: @@
-== PFS ==
+=== PFS ===
   cd /path/to/your/certs/
@@ Zeile 19: / Zeile 22: @@
   ssl_dhparam /path/to/your/certs/dhparam.pem;
+=== HSTS ===
+HTTP Strict Transport Security. <br/>
+if possible run https ONLY pages... <br/>
+in post-snowden age this should be done... so add to your port-80-vhost:
+ server {
+    [...]
+    add_header Strict-Transport-Security max-age=15768000;
+    return 301 https://www.traumartig.de$request_uri;
+    [...]
+ }
+=== SSL test ===
+test you ssl-implementation here:
+# [https://www.ssllabs.com/ssltest/ SSL-Server-Test]
+# [https://www.ssllabs.com/ssltest/viewMyClient.html SSL-Client/Browser-Test]

Nginx: Unterschied zwischen den Versionen

Version vom 9. Mai 2014, 09:24 Uhr

Inhaltsverzeichnis

SSL stuff

hardening SSL

PFS

HSTS

SSL test

Navigationsmenü

Ansichten

Meine Werkzeuge

Navigation

Suche

Werkzeuge