How to Configure NGINX to get an A+ SSL Labs Rating
Disclosure. This page contains links to products that may earn us a small commission at no extra cost to you, should you click on them and make a purchase. Read full disclosure.
SSL Labs provide a free tool that lets you check the security of your web servers SSL configuration. The tool performs a scan of your server and generates a report with A+ being the best. This tutorial will show you the steps involved in getting an A+ for an NGINX server.
Prerequisites
Before we begin, you will need to have access to a public facing Ubuntu 18.04 server and have assigned its public IP address to your public DNS service so that your domain is resolvable.
You will also need to have generated SSL certificates and copied them to the /etc/ssl/certs directory on the server. Read this tutorial to learn how to generate Let’s Encrypt certificates on your local machine using Ansible.
The following steps have been tested on Ubuntu 18.04 running on a DigitalOcean* droplet. If you don’t have a DigitalOcean account use my affiliate link* to get $100 free credit).
Step 1: Install NGINX
Connect to the Ubuntu server with SSH and then install NGINX with the following command:
sudo apt install nginx ssl-cert
Step 2: Create Virtual Host
Create a virtual host conf file inside the /etc/nginx/sites-enabled folder with the name of the domain you want NGINX to serve. In the following example I will use test.graspingtech.com, replace this with your own.
sudo vim /etc/nginx/sites-enabled/test.graspingtech.com
Add the following config to the file replacing test.graspingtech.com with your domain.
server {
listen 80;
listen [::]:80;
server_name test.graspingtech.com;
return 301 https://test.graspingtech.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name test.graspingtech.com;
root /var/www/test.graspingtech.com;
ssl_certificate /etc/ssl/certs/test.graspingtech.com-fullchain.crt;
ssl_certificate_key /etc/ssl/private/test.graspingtech.com.pem;
ssl_dhparam /etc/ssl/certs/test.graspingtech.com-dhparam.pem;
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/test.graspingtech.com-intermediate.crt;
resolver 1.1.1.1 208.67.222.222;
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
try_files $uri $uri/ =404;
}
}
Reload the NGINX config:
sudo nginx -s reload
Browse to the domain and check to see if the website loads and SSL is enabled.
Step 3: Run SSL Labs Report
Head over to the SSL Labs Test page, enter your domain, click Submit and wait for the test to complete.
You should have an A+
Conclusion
In this post we saw how easy it is to configure NGINX so that it gets an A+ rating by SSL Labs. You should run the report every so often and make tweaks as things may change in the future. A good way to get the latest config is to use the Mozilla SSL Configuration Generator.
Written by Tony Mackay
Software developer, sysadmin and writer. Find me here: https://tonymackay.net