[Ach] howto 4x100 with nginx
A. Schulze
sca at andreasschulze.de
Sun Nov 16 22:03:54 CET 2014
by request of Aaron Kaplan I like to post my setup for nginx
- 4096 bit private key
- sha256 hash
- signed by StartCom Class 1 Primary Intermediate Server CA (sha256)
- 4096 dhparam file
- latest openssl provided by debian wheezy (Nov 2014: 1.0.1e-2+deb7u13)
- nginx-1.6.2 ( I compile from source )
nginx.conf:
server {
listen 192.0.2.80:443 ssl spdy;
server_name www.example.org;
ssl_session_cache shared:SSL:100k;
ssl_ciphers ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/intermediate.pem
ssl_dhparam /path/to/dh_4096.pem;
ssl_certificate /path/to/cert+intermediate.pem;
ssl_certificate_key /path/to/key.pem;
add_header strict-transport-security "max-age=31536000";
add_header x-frame-options "sameorigin";
add_header x-xss-protection "1; mode=block";
add_header x-content-type-options "nosniff";
add_header Public-Key-Pins "max-age=5184000; pin-sha256=\"...\";
pin-sha256=\"...\";";
root /path/to/webroot/;
... hope I forgot nothing ...
... other settings;
}
the hpkp header is generated based on the script
https://github.com/hannob/hpkp/blob/master/hpkp-gen
if you replace ssl_protocols with "TLSv1 TLSv1.2" you get a server
that is accessible from
most current/importent clients and still rated as 100/95/100/100.
Andreas
More information about the Ach
mailing list