SSL Certificate Hardening With NGINX

Jared Selcoe
May 9, 2019 | 3 min read

SSL certificate security has never been more important than it is today. Browsers have begun to show users a warning on sites that don’t use HTTPS, more confidential information than ever is being communicated via web applications, and data-snooping criminal activity continues to grow year over year.

As such, today I am going to walk you through the process of hardening your server’s SSL certificate security via NGINX configurations. To do this you will need a server with:

    • Ubuntu v16.04 or greater (required for http2)
    • OpenSSL v1.0.2 or greater
  • An SSL certificate already installed

Okay – let’s begin!

Basic Setup

Though you are likely already doing this, first let’s make sure you are:

    • Forwarding all traffic from port 80 to port 443 (the HTTPS protocol’s port)
    • Using http2
  • Using your SSL certificate

To forward all traffic to port 443, modify your /etc/nginx/sites-available/default file so that it reads:

Because this file is imported in your /etc/nginx/nginx.conf it will be applied for all requests to all domains that your server manages, so long as you have it symlinked in /etc/nginx/sites-enabled.

To use http2 and your SSL certificate for a specific domain, modify your etc/nginx/sites-available/YOUR_FILE (could be default if you’ve kept things simple) so that it reads:

Enable HTTP Strict Transport Security (HSTS)

By default, when modern browsers detect HSTS headers they automatically stop attempting to use anything but HTTPS for the length of time specified in the header. We use this in conjunction with the port redirecting that we have already configured so that normal users will receive the proper idiomatic HSTS headers, and bad actors will be forcefully redirected.

Update /etc/nginx/nginx.conf’s http {} block to contain:

Restrict Protocols and Ciphers

Now, let’s make sure you are:

    • Prioritizing the SSL protocol TLSv1.3, with 1.2 as a fallback, and rejecting all others
  • Restricting the permitted ciphers

The following changes will all be made to your /etc/nginx/nginx.conf file’s http {} block because we want these changes to apply to all traffic, not just a particular server:

Create A Stronger Diffie-Hellman

A Diffie-Hellman key is used for our SSL handshake with clients. By default, this key is 1024 bits. We want to make sure that if we are using a 2048+ SSL certificate we do not diminish its security by using a 1024 bit key during our key exchange/handshake. So, let’s create a stronger Diffie-Hellman key.

In the terminal, enter openssl dhparam -out /etc/ssl/dhparam.pem 4096 – this will take a while!

Then add the following lines to the /etc/nginx/nginx.conf file’s http {} block:

Confirm Everything Works

First, let’s make sure there are no syntax errors with our configurations:

sudo nginx -t

Now let’s run our configuration tests:

sudo /etc/init.d/nginx configtest

Then, restart NGINX:

sudo service nginx restart

Now that everything is configured, run the Qualys or Comodo testing suites and look at your fancy A+ score!

At Moove It we work to stay on top of the latest developments in online security to ensure that our clients and their data are kept safe in an increasingly complex and dynamic digital environment. I hope that this guide helps you to bring some of that same sense of security to your next application!


Get our stories delivered to your inbox weekly.