Page MenuHomePlusReed.com

Nginx SSL improvements
Closed, ResolvedPublic

Description

Some improvements include:

  • SSL enforcement
  • Enabling HTTPS credential caching
  • Enabling HSTS
  • Avoiding old cipher suites

A tutorial to do all this is here.

Related Objects

Event Timeline

reed created this task.Sep 28 2017, 9:41 AM
reed lowered the priority of this task from High to Normal.Sep 29 2017, 8:04 AM

Priority lowered, we should figure out what’s going on with T6 first.

reed raised the priority of this task from Normal to High.Oct 5 2017, 10:41 AM

Priority reset, T6 is resolved.

reed added a comment.Oct 11 2017, 9:11 AM

Avoiding old cipher suites

This is enabled by:

ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
reed added a comment.Oct 23 2017, 12:00 AM
In T7#121, @reed wrote:

Avoiding old cipher suites

This is enabled by:

ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
reed@plusreed:/etc/nginx$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Pushed to production!

reed added a comment.Oct 23 2017, 12:10 AM

SSL enforcement

Pushed to production!

reed added a comment.Oct 23 2017, 12:12 AM

Enabling HTTPS credential caching

This has been set to 1MB, and is cached for 1 hour.

Pushed to production.

reed added a comment.Oct 23 2017, 12:15 AM

Enabling HSTS

Pushed to production.

Running SSL test now.

reed closed this task as Resolved.Oct 23 2017, 12:18 AM

We now have an A+ for SSL thanks to these changes.

Looks like a success, closing.