Deutsch | English

[Ach] howto 4x100 with nginx

A. Schulze sca at andreasschulze.de
Sun Nov 16 22:03:54 CET 2014


by request of Aaron Kaplan I like to post my setup for nginx

- 4096 bit private key
- sha256 hash
- signed by StartCom Class 1 Primary Intermediate Server CA (sha256)
- 4096 dhparam file
- latest openssl provided by debian wheezy (Nov 2014: 1.0.1e-2+deb7u13)
- nginx-1.6.2 ( I compile from source )

nginx.conf:

server {
  listen 192.0.2.80:443 ssl spdy;
  server_name www.example.org;
  ssl_session_cache shared:SSL:100k;
  ssl_ciphers ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.2;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /path/to/intermediate.pem
  ssl_dhparam /path/to/dh_4096.pem;
  ssl_certificate /path/to/cert+intermediate.pem;
  ssl_certificate_key /path/to/key.pem;
  add_header strict-transport-security "max-age=31536000";
  add_header x-frame-options "sameorigin";
  add_header x-xss-protection "1; mode=block";
  add_header x-content-type-options "nosniff";
  add_header Public-Key-Pins  "max-age=5184000; pin-sha256=\"...\";  
pin-sha256=\"...\";";
  root /path/to/webroot/;
  ... hope I forgot nothing ...
  ... other settings;
}

the hpkp header is generated based on the script  
https://github.com/hannob/hpkp/blob/master/hpkp-gen

if you replace ssl_protocols with "TLSv1 TLSv1.2" you get a server  
that is accessible from
most current/importent clients and still rated as 100/95/100/100.

Andreas




More information about the Ach mailing list
Kontakt
Email: reports@cert.at
Tel.: +43 1 5056416 78
mehr ...
Warnungen
mehr ...
Blog
mehr ...
Jahresbericht 2017
Ein Resumee zur digitalen Sicherheitslage in Österreich

(HTML, PDF).
Letzte Änderung: 2018/5/28 - 15:00:00
Haftungsausschluss / Datenschutzerklärung