[Ach] howto 4x100 with nginx

A. Schulze sca at andreasschulze.de
Sun Nov 16 22:03:54 CET 2014

by request of Aaron Kaplan I like to post my setup for nginx

- 4096 bit private key
- sha256 hash
- signed by StartCom Class 1 Primary Intermediate Server CA (sha256)
- 4096 dhparam file
- latest openssl provided by debian wheezy (Nov 2014: 1.0.1e-2+deb7u13)
- nginx-1.6.2 ( I compile from source )


server {
  listen ssl spdy;
  server_name www.example.org;
  ssl_session_cache shared:SSL:100k;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.2;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /path/to/intermediate.pem
  ssl_dhparam /path/to/dh_4096.pem;
  ssl_certificate /path/to/cert+intermediate.pem;
  ssl_certificate_key /path/to/key.pem;
  add_header strict-transport-security "max-age=31536000";
  add_header x-frame-options "sameorigin";
  add_header x-xss-protection "1; mode=block";
  add_header x-content-type-options "nosniff";
  add_header Public-Key-Pins  "max-age=5184000; pin-sha256=\"...\";  
  root /path/to/webroot/;
  ... hope I forgot nothing ...
  ... other settings;

the hpkp header is generated based on the script  

if you replace ssl_protocols with "TLSv1 TLSv1.2" you get a server  
that is accessible from
most current/importent clients and still rated as 100/95/100/100.


More information about the Ach mailing list