get an A+ on the Qualsys SSL Labs

[ 2015-03-12 13:31:14 | Author: zhenhua ]
Font Size: Large | Medium | Small
For that you’ll need to do the following:

1 Don’t support older protocols. A lot of servers support really old and obsolete protocols. If you run a web app, your users will very likely not need support for these.
2 Don’t support flawed SSL ciphers. There’s a bunch of these and you can avoid using them. Browsers support multiple different ciphers, so this is not a problem.
3 Cache SSL sessions. This will improve performance.
4 Turn on HTTP Strict Transport Security (HSTS). This is a special header that will tell browsers to never connect to the server via normal HTTP.
server {
# deferred allows for faster connections if there's
# no other servers on port 443 defined
listen 443 ssl spdy deferred;

ssl on;
ssl_certificate /etc/nginx/your-certificate.crt;
ssl_certificate_key /etc/nginx/your-private-key.key;

ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;

# tell any upstream things like unicorns that we're on https
proxy_set_header X-Forwarded-Proto 'https';
underscores_in_headers on;

location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# ...

# ...

Comments Feed Comments Feed:
UTF-8 Encoding Trackback URL:

There is no comment on this article.

If you feel this site you find this information helpful, please click on the donation, which is voluntary,Thank you.
Post Comment
[arrow] [biggrin] [confused] [cool]
[cry] [eek] [evil] [exclaim]
[frown] [idea] [lol] [mad]
[mrgreen] [neutral] [question] [razz]
[redface] [rolleyes] [sad] [smile]
[surprised] [twisted] [wink]
Enable UBB Codes
Auto Convert URL
Show Smilies
Hidden Comment
Username:   Password:   Register Now?
Security Code * Please Enter the Security Code