SlideShare a Scribd company logo

NGINX + HTTPS 101: The basics & getting started

Nick Sullivan
Nick Sullivan

NGINX is a multi-faceted tool, and if you’re just getting your feet wet--or need a buffer--you’ll want to check this presentation out first. One popular use for NGINX is as a HTTPS reverse proxy--enabling services to support encrypted protocols that don’t normally do so. Why should you be an expert on this? Putting NGINX in front of HTTP-based websites and services allows them to be fully HTTPS compliant, taking advantage of NGINX’s state-of-the-art encryption technology. This session will start by introducing the basics of HTTPS and web encryption. Attendees will learn how to get a proper HTTPS certificate from a certificate authority (“CA”) for browser-facing services, and an internal CA for internal services. The session will also cover the ngx_http_ssl_module, and what it takes to configure it to the industry standard. This is your spark notes session for getting that A+ in security.

Technology
1 of 54
Download to read offline
NGINX + HTTPS 101 The Basics & Getting Started Sept 23, 2015 Nick Sullivan (@grittygrease)
#nginx #nginxconf NGINX + HTTPS 101 2 What is HTTPS? Protocol Versions Cipher Suites Configuring nginx Bonus: Configuring HSTS Backend HTTPS Double Bonus: OCSP Stapling Checking your configuration
What is HTTPS? 3
HTTPS = HTTP + Security • Security: SSL or TLS • Provides data encryption and server authentication • Negotiation of keys happens in the “handshake” 4
5
Why set up HTTPS? • User privacy • SEO bump • Put in front of HTTPS-incapable services • General good practice 6 😀 😯
What are the downsides? • Operational complexity • Extra latency (two round-trips for first connection) • CPU cost 7
What you need to set up HTTPS • A set of protocols you support • A set of ciphers you support in order of preference • A certificate and a private key signed by a trusted Certificate Authority 8
Protocol Versions 9
A bit of history • SSL v2.0 released in 1995 by Netscape • SSL v3.0 released in 1996 fixes major issues with v2 • TLS v1.0 released in 1999 by IETF: minor tweaks to SSLv3 • TLS v1.1 released in 2006 with minor tweaks • TLS v1.2 released in 2008 with improved hashes and AEAD mode 10
A bit of history • SSL v2.0 released in 1995 - Broken by design • SSL v3.0 released in 1996 - Broken by POODLE (Nov 2014) • TLS v1.0 released in 1999 - Weakened by BEAST (2011) and Lucky 13 (2013) • TLS v1.1 released in 2006 - Weakened by Lucky 13 (2013) and RC4 (2013, 2015) • TLS v1.2 released in 2008 - Only safe with AEAD mode ciphers 11
Client Compatibility for TLS 1.2 • Chrome >= 30 • Android >= 5.0 • Firefox >= 27 • Internet Explorer/Edge >= 11 • Safari Mac >= 7 • iOS >= 5 • Note: iOS 9 applications require TLS 1.2 support 12 ~75%
Client Compatibility for TLS 1.0 • Basically everything except Windows XP SP2 and earlier 13
Configuration options • High security, low compatibility ssl_protocols TLSv1.2; • Medium security, high compatibility ssl_protocols TLSv1 TLSv1.1 TLSv1.2; • Low security, maximum compatibility ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 14 Top Grade SSL Labs
Cipher Suites 15
Cipher Suites • Complicated string describing the type of crypto used • Defined by openssl (check your ciphers with $ openssl ciphers) Example: ECDHE-RSA-AES128-GCM-SHA256:
 ECDHE-ECDSA-AES128-GCM-SHA256:
 ECDHE-RSA-AES256-GCM-SHA384:
 ECDHE-ECDSA-AES256-GCM-SHA384:
 DHE-RSA-AES128-GCM-SHA256: 16
Cipher Suites 17 ECDHE-RSA-AES256-GCM-SHA384
 Key Exchange - Certificate Key - Transport Cipher - Integrity
Server Cipher Suites • Client lists supported cipher suites in order of preference • Server takes intersection of client list and server supported cipher list • Server selects preferred cipher of remaining 18
Cipher Suite Negotiation AES256-GCM-SHA384:
 ECDHE-RSA-AES128-GCM-SHA256:
 ECDHE-RSA-AES256-GCM-SHA384:
 
 ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA:
 ECDHE-RSA-AES128-SHA256:
 AES256-GCM-SHA384: 19 ECDHE-RSA-AES256-GCM-SHA384
 AES256-GCM-SHA384
 ECDHE-RSA-AES256-GCM-SHA384
Recommended Cipher Suites CloudFlare’s suggestions: github.com/cloudflare/sslconfig EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5 • Mozilla has their own suggestions: https://mozilla.github.io/server-side-tls/ssl-config-generator/ 20
Certificates 21
What is a certificate? • Organization name • Public key • Issuer name • Rights • Validity period • Hostnames • Digital signature by issuer 22
23
What is a trusted certificate? • When certificate is issued by a Certificate Authority (CA) that browsers trust 24
How do I get a certificate? • Create a key pair • A private key • A certificate signing request (contains your public key) • Get a CA to create a certificate from the CSR • Usually costs $$$ 25
How do create a CSR and private key? • Using CFSSL $ cfssl print-defaults csr > csr.json $ cfssl genkey csr.json | cfssljson -bare • Using OpenSSL $ openssl genrsa -out key.pem 2048 $ openssl req -new -sha256 -key key.pem -out key.csr 26
How to get a free certificate • StartSSL.com: follow the instructions, get a headache 27
Certificate chain • Need to include all certificates in trust
 chain up to the root • If CA did not provide, try `cfssl bundle` 28
Configuring nginx 29
NGINX configurations parameters • Basic features • ssl_certificate, ssl_certificate_key • ssl_protocols • ssl_ciphers 30
NGINX configurations parameters • Before you start: Find out the version of OpenSSL you are using • Recommend at least 1.0.1p $ openssl version OpenSSL 0.9.8zd 8 Jan 2015 31
server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; } 32 Certificate Chain Private key
• Session caching — faster connections from existing clients • ssl_session_timeout 1d; • ssl_session_cache shared:SSL:50m; • Session tickets — advanced version • Works with Chrome and Firefox Extra options 33
server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; } 34 Protocols Ciphers
• Prefer server cipher preference • ssl_prefer_server_ciphers on; Additional fields 35
Multiple domains, same certificate ssl_certificate multiSAN.crt; ssl_certificate_key multiSAN.key; server { listen 443 ssl; server_name www.example.com; ... } server { listen 443 ssl; server_name www.example.org; ... } 36
Backend HTTPS 37
• Encrypt to the server behind nginx • Need a list of trusted CAs Encryption on the backend 38
http { server { proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; } } 39 Protocols Ciphers Trusted CAs
• Internal CA • You can create your own certificates for the services behind nginx • Requires managing your own public key infrastructure • Public CA • Need certificate from publicly trusted CA • Root store already present on machine (e.g. Ubuntu: /etc/ssl/certs/ca-certificates.crt) Options for trusted CAs 40
Checking your configuration 41
ssllabs.com 42
cfssl.org/scan 43
Bonus: Configuring HSTS 44
• HTTP header cached by browser • Browser always attempts HTTPS • Maximum age defined in seconds • Preload list for Chrome and Firefox • Requires 6 month HSTS • Requires includeSubdomains What is HSTS? 45
• Prevent hijacking of HTTP Why? 46
• Prevents people from visiting HTTP version of site • If HTTPS config is broken (expired certificate), site is broken Risks 47
server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; } 48 Max-age: 6 months
Double Bonus: Configuring OCSP Stapling 49
• Certificates can not only expire, they can be revoked • OCSP (Online Certificate Status Protocol) can be queried to check status • Can slow down requests since it requires another connection • OCSP Stapling: server pre-fetches OSCP response • Saves a round-trip by the client What is OCSP Stapling? 50
How much faster? DNS (1334ms) TCP handshake (240ms) SSL handshake (376ms) Follow certificate chain (1011ms) DNS to CA (300ms) TCP to CA (407ms) OCSP to CA #1 (598ms) TCP to CA #2 (317ms) OCSP to CA #2 (444ms) Finish SSL handshake (1270ms) 51 ~30%
server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; } 52 Get this file from your CA
Questions? 53
NGINX + HTTPS 101 The Basics & Getting Started Nick Sullivan @grittygrease

Recommended

Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamNick Sullivan
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoNick Sullivan
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
 
White-box Cryptography -BayThreat 2013
White-box Cryptography -BayThreat 2013White-box Cryptography -BayThreat 2013
White-box Cryptography -BayThreat 2013Nick Sullivan
 

Recommended

Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamNick Sullivan
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoNick Sullivan
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
 
White-box Cryptography -BayThreat 2013
White-box Cryptography -BayThreat 2013White-box Cryptography -BayThreat 2013
White-box Cryptography -BayThreat 2013Nick Sullivan
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

NGINX + HTTPS 101: The basics & getting started

  • 1. NGINX + HTTPS 101 The Basics & Getting Started Sept 23, 2015 Nick Sullivan (@grittygrease)
  • 2. #nginx #nginxconf NGINX + HTTPS 101 2 What is HTTPS? Protocol Versions Cipher Suites Configuring nginx Bonus: Configuring HSTS Backend HTTPS Double Bonus: OCSP Stapling Checking your configuration
  • 4. HTTPS = HTTP + Security • Security: SSL or TLS • Provides data encryption and server authentication • Negotiation of keys happens in the “handshake” 4
  • 5. 5
  • 6. Why set up HTTPS? • User privacy • SEO bump • Put in front of HTTPS-incapable services • General good practice 6 😀 😯
  • 7. What are the downsides? • Operational complexity • Extra latency (two round-trips for first connection) • CPU cost 7
  • 8. What you need to set up HTTPS • A set of protocols you support • A set of ciphers you support in order of preference • A certificate and a private key signed by a trusted Certificate Authority 8
  • 10. A bit of history • SSL v2.0 released in 1995 by Netscape • SSL v3.0 released in 1996 fixes major issues with v2 • TLS v1.0 released in 1999 by IETF: minor tweaks to SSLv3 • TLS v1.1 released in 2006 with minor tweaks • TLS v1.2 released in 2008 with improved hashes and AEAD mode 10
  • 11. A bit of history • SSL v2.0 released in 1995 - Broken by design • SSL v3.0 released in 1996 - Broken by POODLE (Nov 2014) • TLS v1.0 released in 1999 - Weakened by BEAST (2011) and Lucky 13 (2013) • TLS v1.1 released in 2006 - Weakened by Lucky 13 (2013) and RC4 (2013, 2015) • TLS v1.2 released in 2008 - Only safe with AEAD mode ciphers 11
  • 12. Client Compatibility for TLS 1.2 • Chrome >= 30 • Android >= 5.0 • Firefox >= 27 • Internet Explorer/Edge >= 11 • Safari Mac >= 7 • iOS >= 5 • Note: iOS 9 applications require TLS 1.2 support 12 ~75%
  • 13. Client Compatibility for TLS 1.0 • Basically everything except Windows XP SP2 and earlier 13
  • 14. Configuration options • High security, low compatibility ssl_protocols TLSv1.2; • Medium security, high compatibility ssl_protocols TLSv1 TLSv1.1 TLSv1.2; • Low security, maximum compatibility ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 14 Top Grade SSL Labs
  • 16. Cipher Suites • Complicated string describing the type of crypto used • Defined by openssl (check your ciphers with $ openssl ciphers) Example: ECDHE-RSA-AES128-GCM-SHA256:
 ECDHE-ECDSA-AES128-GCM-SHA256:
 ECDHE-RSA-AES256-GCM-SHA384:
 ECDHE-ECDSA-AES256-GCM-SHA384:
 DHE-RSA-AES128-GCM-SHA256: 16
  • 17. Cipher Suites 17 ECDHE-RSA-AES256-GCM-SHA384
 Key Exchange - Certificate Key - Transport Cipher - Integrity
  • 18. Server Cipher Suites • Client lists supported cipher suites in order of preference • Server takes intersection of client list and server supported cipher list • Server selects preferred cipher of remaining 18
  • 20. Recommended Cipher Suites CloudFlare’s suggestions: github.com/cloudflare/sslconfig EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5 • Mozilla has their own suggestions: https://mozilla.github.io/server-side-tls/ssl-config-generator/ 20
  • 22. What is a certificate? • Organization name • Public key • Issuer name • Rights • Validity period • Hostnames • Digital signature by issuer 22
  • 23. 23
  • 24. What is a trusted certificate? • When certificate is issued by a Certificate Authority (CA) that browsers trust 24
  • 25. How do I get a certificate? • Create a key pair • A private key • A certificate signing request (contains your public key) • Get a CA to create a certificate from the CSR • Usually costs $$$ 25
  • 26. How do create a CSR and private key? • Using CFSSL $ cfssl print-defaults csr > csr.json $ cfssl genkey csr.json | cfssljson -bare • Using OpenSSL $ openssl genrsa -out key.pem 2048 $ openssl req -new -sha256 -key key.pem -out key.csr 26
  • 27. How to get a free certificate • StartSSL.com: follow the instructions, get a headache 27
  • 28. Certificate chain • Need to include all certificates in trust
 chain up to the root • If CA did not provide, try `cfssl bundle` 28
  • 30. NGINX configurations parameters • Basic features • ssl_certificate, ssl_certificate_key • ssl_protocols • ssl_ciphers 30
  • 31. NGINX configurations parameters • Before you start: Find out the version of OpenSSL you are using • Recommend at least 1.0.1p $ openssl version OpenSSL 0.9.8zd 8 Jan 2015 31
  • 32. server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; } 32 Certificate Chain Private key
  • 33. • Session caching — faster connections from existing clients • ssl_session_timeout 1d; • ssl_session_cache shared:SSL:50m; • Session tickets — advanced version • Works with Chrome and Firefox Extra options 33
  • 34. server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA +AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; } 34 Protocols Ciphers
  • 35. • Prefer server cipher preference • ssl_prefer_server_ciphers on; Additional fields 35
  • 36. Multiple domains, same certificate ssl_certificate multiSAN.crt; ssl_certificate_key multiSAN.key; server { listen 443 ssl; server_name www.example.com; ... } server { listen 443 ssl; server_name www.example.org; ... } 36
  • 38. • Encrypt to the server behind nginx • Need a list of trusted CAs Encryption on the backend 38
  • 39. http { server { proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; } } 39 Protocols Ciphers Trusted CAs
  • 40. • Internal CA • You can create your own certificates for the services behind nginx • Requires managing your own public key infrastructure • Public CA • Need certificate from publicly trusted CA • Root store already present on machine (e.g. Ubuntu: /etc/ssl/certs/ca-certificates.crt) Options for trusted CAs 40
  • 45. • HTTP header cached by browser • Browser always attempts HTTPS • Maximum age defined in seconds • Preload list for Chrome and Firefox • Requires 6 month HSTS • Requires includeSubdomains What is HSTS? 45
  • 46. • Prevent hijacking of HTTP Why? 46
  • 47. • Prevents people from visiting HTTP version of site • If HTTPS config is broken (expired certificate), site is broken Risks 47
  • 48. server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; } 48 Max-age: 6 months
  • 49. Double Bonus: Configuring OCSP Stapling 49
  • 50. • Certificates can not only expire, they can be revoked • OCSP (Online Certificate Status Protocol) can be queried to check status • Can slow down requests since it requires another connection • OCSP Stapling: server pre-fetches OSCP response • Saves a round-trip by the client What is OCSP Stapling? 50
  • 51. How much faster? DNS (1334ms) TCP handshake (240ms) SSL handshake (376ms) Follow certificate chain (1011ms) DNS to CA (300ms) TCP to CA (407ms) OCSP to CA #1 (598ms) TCP to CA #2 (317ms) OCSP to CA #2 (444ms) Finish SSL handshake (1270ms) 51 ~30%
  • 52. server { listen 443 ssl; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; } 52 Get this file from your CA
  • 54. NGINX + HTTPS 101 The Basics & Getting Started Nick Sullivan @grittygrease