HTTPS is not only important for the Google ranking, but it also protects you, your websites and thus your visitors. With the following configuration you can achieve a maximum secure configuration of your nginx webserver.
Before you add these lines to your server part of your nginx configuration, make sure you already have an SSL certificate and adjust the path to it. In addition, you should also create a Diffie-Hellmann key and adjust the path to it as well.
A Diffie-Hellmann key is created with the following command (can take a long time):
> cd /etc/ssl/private
> openssl dhparam -out dhparams.pem 2048
> chmod 600 dhparams.pem
If you now have an SSL certificate and your own DH key, make sure to adjust the paths in the following snippet - then you can use it in your nginx server directive:
listen 443 ssl http2;
ssl on;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/letsencrypt/live/hilfreiche-server.tips/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hilfreiche-server.tips/privkey.pem;
Leave a comment now