Getting A+ grade for SSL test with nginx

In this post we're going to configure a secure and fast SSL-protected website for Sluggard app. We will be using nginx and a certificate issued by Let's Encrypt.

Let's assume that we have already generated an SSL certificate. So, we only need to edit our server config:

server {  
    listen 80;
    listen [::]:80;
    server_name sluggardapp.com www.sluggardapp.com;

    root /var/www/sluggardapp/public;

    location ~ /.well-known {
        allow all;
    }

    location / {
        return 301 https://sluggardapp.com$request_uri;
    }
}

server {  
    listen 443;
    listen [::]:443;
    server_name sluggardapp.com www.sluggardapp.com;

    access_log /var/log/nginx/sluggardapp.access.log;
    error_log /var/log/nginx/sluggardapp.error.log;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/sluggardapp.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sluggardapp.com/privkey.pem;

    ssl_dhparam /etc/ssl/private/dhparams.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Content-Type-Options nosniff;

    root /var/www/sluggardapp/public;

    location / {
        expires max;
    }

    location ~ /.well-known {
        allow all;
    }
}

Now let's run a quick test at https://www.ssllabs.com/ssltest/

Michael Samoylov

Python, JavaScript and Swift Expert with 12+ years of experience.

Vilnius, Lithuania https://monmar.tech

Subscribe to Michael Samoylov

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!