[Ach] howto 4x100 with nginx
L. Aaron Kaplan
aaron at lo-res.org
Tue Nov 18 09:54:45 CET 2014
Thanks Andreas,
This allows us to compare against our recommendations.
On Nov 16, 2014, at 10:03 PM, A. Schulze <sca at andreasschulze.de> wrote:
> by request of Aaron Kaplan I like to post my setup for nginx
>
> - 4096 bit private key
> - sha256 hash
> - signed by StartCom Class 1 Primary Intermediate Server CA (sha256)
> - 4096 dhparam file
> - latest openssl provided by debian wheezy (Nov 2014: 1.0.1e-2+deb7u13)
> - nginx-1.6.2 ( I compile from source )
>
> nginx.conf:
>
> server {
> listen 192.0.2.80:443 ssl spdy;
> server_name www.example.org;
> ssl_session_cache shared:SSL:100k;
> ssl_ciphers ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_trusted_certificate /path/to/intermediate.pem
> ssl_dhparam /path/to/dh_4096.pem;
> ssl_certificate /path/to/cert+intermediate.pem;
> ssl_certificate_key /path/to/key.pem;
> add_header strict-transport-security "max-age=31536000";
> add_header x-frame-options "sameorigin";
> add_header x-xss-protection "1; mode=block";
> add_header x-content-type-options "nosniff";
> add_header Public-Key-Pins "max-age=5184000; pin-sha256=\"...\"; pin-sha256=\"...\";";
> root /path/to/webroot/;
> ... hope I forgot nothing ...
> ... other settings;
> }
>
> the hpkp header is generated based on the script https://github.com/hannob/hpkp/blob/master/hpkp-gen
>
> if you replace ssl_protocols with "TLSv1 TLSv1.2" you get a server that is accessible from
> most current/importent clients and still rated as 100/95/100/100.
>
> Andreas
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20141118/75f10b15/attachment.sig>
More information about the Ach
mailing list