Nginx: Unterschied zwischen den Versionen
Aus SchnallIchNet
Cbs (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „some nginx hints == hardening SSL == post snowden ssl-hardening: ssl_prefer_server_ciphers On; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3; ssl_ciphers EC…“) |
Cbs (Diskussion | Beiträge) |
||
Zeile 2: | Zeile 2: | ||
− | == hardening SSL == | + | == SSL stuff == |
+ | |||
+ | |||
+ | === hardening SSL === | ||
post snowden ssl-hardening: | post snowden ssl-hardening: | ||
Zeile 11: | Zeile 14: | ||
− | == PFS == | + | === PFS === |
cd /path/to/your/certs/ | cd /path/to/your/certs/ | ||
Zeile 19: | Zeile 22: | ||
ssl_dhparam /path/to/your/certs/dhparam.pem; | ssl_dhparam /path/to/your/certs/dhparam.pem; | ||
+ | |||
+ | |||
+ | === HSTS === | ||
+ | |||
+ | HTTP Strict Transport Security. <br/> | ||
+ | if possible run https ONLY pages... <br/> | ||
+ | in post-snowden age this should be done... so add to your port-80-vhost: | ||
+ | |||
+ | server { | ||
+ | [...] | ||
+ | add_header Strict-Transport-Security max-age=15768000; | ||
+ | return 301 https://www.traumartig.de$request_uri; | ||
+ | [...] | ||
+ | } | ||
+ | |||
+ | |||
+ | === SSL test === | ||
+ | |||
+ | test you ssl-implementation here: | ||
+ | |||
+ | # [https://www.ssllabs.com/ssltest/ SSL-Server-Test] | ||
+ | # [https://www.ssllabs.com/ssltest/viewMyClient.html SSL-Client/Browser-Test] |
Version vom 9. Mai 2014, 09:24 Uhr
some nginx hints
Inhaltsverzeichnis
SSL stuff
hardening SSL
post snowden ssl-hardening:
ssl_prefer_server_ciphers On; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
PFS
cd /path/to/your/certs/ openssl dhparam -out dhparam.pem 2048
and edit nginx config:
ssl_dhparam /path/to/your/certs/dhparam.pem;
HSTS
HTTP Strict Transport Security.
if possible run https ONLY pages...
in post-snowden age this should be done... so add to your port-80-vhost:
server { [...] add_header Strict-Transport-Security max-age=15768000; return 301 https://www.traumartig.de$request_uri; [...] }
SSL test
test you ssl-implementation here: