home tools books contact

How to Configure NGINX to get an A+ SSL Labs Rating

Linux NGINX

SSL Labs provide a free tool that lets you check the security of your web servers SSL configuration. The tool performs a scan of your server and generates a report with A+ being the best. This tutorial will show you the steps involved in getting an A+ for an NGINX server.

SSL Labs Report

Prerequisites

Before we begin, you will need to have access to a public facing Ubuntu 18.04 server and have assigned its public IP address to your public DNS service so that your domain is resolvable.

You will also need to have generated SSL certificates and copied them to the /etc/ssl/certs directory on the server. Read this tutorial to learn how to generate Let’s Encrypt certificates on your local machine using Ansible.

The following steps have been tested on Ubuntu 18.04 running on a DigitalOcean* droplet. If you don’t have a DigitalOcean account use my affiliate link* to get $100 free credit).

Step 1: Install NGINX

Connect to the Ubuntu server with SSH and then install NGINX with the following command:

sudo apt install nginx ssl-cert

Step 2: Create Virtual Host

Create a virtual host conf file inside the /etc/nginx/sites-enabled folder with the name of the domain you want NGINX to serve. In the following example I will use test.graspingtech.com, replace this with your own.

sudo vim /etc/nginx/sites-enabled/test.graspingtech.com

Add the following config to the file replacing test.graspingtech.com with your domain.

server {
  listen 80;
  listen [::]:80;
  server_name test.graspingtech.com;
  return 301 https://test.graspingtech.com$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name test.graspingtech.com;
  root /var/www/test.graspingtech.com;

  ssl_certificate     /etc/ssl/certs/test.graspingtech.com-fullchain.crt;
  ssl_certificate_key /etc/ssl/private/test.graspingtech.com.pem;
  ssl_dhparam         /etc/ssl/certs/test.graspingtech.com-dhparam.pem;

  # SSL Settings
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;
  
  ssl_session_timeout 1d;
  ssl_session_cache   shared:SSL:10m;
  ssl_session_tickets off;
  
  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/ssl/certs/test.graspingtech.com-intermediate.crt;
  resolver 1.1.1.1 208.67.222.222;

  add_header Strict-Transport-Security "max-age=63072000" always;

  location / {
    try_files $uri $uri/ =404;
  }
}

Reload the NGINX config:

sudo nginx -s reload

Browse to the domain and check to see if the website loads and SSL is enabled.

Lets Encrypt NGINX SSL

Step 3: Run SSL Labs Report

Head over to the SSL Labs Test page, enter your domain, click Submit and wait for the test to complete.

SSL Labs Tool

You should have an A+

SSL Labs Report

Conclusion

In this post we saw how easy it is to configure NGINX so that it gets an A+ rating by SSL Labs. You should run the report every so often and make tweaks as things may change in the future. A good way to get the latest config is to use the Mozilla SSL Configuration Generator.

Written by: Tony Mackay

* GraspingTech participates in various affiliate marketing programs, which means we may earn a small commission at no additional cost to you, should you click on a link to a product and make a purchase.