Website Security Solutions | Latest Guides

In this guide we will show you how to setup an SSL Certificate for a domain on your NGINX VPS or Dedicated Server while putting into place the best security options and configurations including selecting the most secure cipher suite.

We assume you have your SSL Certificate issued and the private key ready to install on your server already. If not you will need to look into how to generate a CSR and Private Key to order and get issued your new SSL Certificate.

First lets copy the SSL Certificate and private key to your server. This is commonly done to to the /etc/ssl folder on CentOS.
You also want to combine all your intermediate certificates that may have been supplied by the Certificate Authority with your own ssl certificate. This can be done via:

cat your_domain_name.crt intermediate.crt >> mycert.crt

Or use a program such as nano to generate a .crt file and paste in your certificates.

And also create a.key file for your Private Key. So you should now have the 2 file:

/etc/ssl/mycert.crt
/etc/ssl/mycert.key

The next step is to create a dhparam.pem file. The Diffie-Hellman parameter we will set is to make sure 2048 bits is used. Any less is insecure. So run the following command:

openssl dhparam -out /etc/ssl/dhparam.pem 2048

Now we need to configure our NGINX.
Go to your nginx configuration file for your website. This will most likely be in the folder /etc/nginx/conf.d Or somewhere in the /etc/nginx folder. Usualy named: yourdomain_com_au.conf

cd /etc/nginx/conf.d

once you have found your conf file for the domain you are installing the ssl for, edit it with your favourite editor.

nano yourdomain_com_au.conf

and add the following lines near the top (not in your server block)…

server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Now in your server block…. server {}
Add these lines

ssl_certificate /etc/ssl/mycert.crt;  #the path to your .crt file created above
ssl_certificate_key /etc/ssl/mycert.key; #the path to your .key file created above
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/ssl/dhparam.pem; #path to the dhparam.pem file created above

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;

make sure you have your server block listening on port 443 for the ssl and restart nginx, and test your site with https://www.ssllabs.com/ssltest/ and you should see a score of A or more.


Author: Paul Baka
Last Modified: 24/09/2018

    Next Guide...
    NGINX Reverse Proxy Setup Guide

    Reverse proxies accept connections on behalf of a server coming from a client. They are the opposite of forward proxies, which accept connections on behalf of a client destined for a server. They’re incredibly useful in two main cases: tightly controlled (and managed) ingress into a network, and s…