Strong Ciphers for NGINX

By: John Belthoff - Thu, October 3, 2019

A particularly good config setting for NGINX and SSL/TLS.

ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on; 
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s; 
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

To create the dhparams.pem file run the following command:

openssl dhparam -out dhparams.pem 4096

I hope you find this information useful!

I am announcing the Yi Jing Blog, a place where you can learn about the I Ching.

Search

---

Recent Posts

• Rockaway Billiards
• A New Website for Music Production
• Strong Ciphers for NGINX
• Photon OS
• A little HD Video

---

Archives

• May 2023
• January 2020
• October 2019
• July 2019
• June 2019