Improve Your Website Security: A Quick Guide for Nginx
Are you concerned about your website’s security? Do you want to make it more difficult for hackers to intercept your users’ data? Enabling HTTPS by default on all your websites is a great way to do just that. In this article, we will show you how to improve your Nginx SSL configuration using some simple commands.
Step 1: Redirect all HTTP traffic to HTTPS
To enable HTTPS by default, we need to redirect all HTTP traffic to HTTPS. We can do this using the following command:
server {
listen 80;
server_name <my_server_name>;
return 301 https://$host$request_uri;
}
Note that once you enable HTTPS, it’s impossible to downgrade HTTPS visitors to HTTP without the proper certificates.
Also, If you are using Letsencrypt to generate certificates, pass ` — rsa-key-size 4096` to certbot, otherwise it defaults to key size 2048
sudo certbot --nginx -d example.com --rsa-key-size 4096
Similarly if you are renewing it,
sudo certbot renew --rsa-key-size 4096 --force-renewal
Step 2: Enable HSTS
HSTS (HTTP Strict Transport Security) is a security feature that forces web browsers to only use HTTPS when communicating with your website. To enable HSTS, add the following command to your Nginx configuration file:
add_header Strict-Transport-Security max-age=63072000;
Step 3: Use strong SSL ciphers
SSL ciphers are algorithms that are used to encrypt data sent between a web server and a web browser. Some SSL ciphers, like RC4, are vulnerable, and SSL 3 is broken. To use strong SSL ciphers, we can use the Mozilla SSL Configuration Generator to generate a list of recommended ciphers:
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
Step 4: Use strong Diffie-Hellman keys
Diffie-Hellman key exchange is a protocol that provides secure communication between a web server and a web browser. To use strong Diffie-Hellman keys, we can generate new parameters using OpenSSL:
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
Note: It will take a lot of time to generate this, It took around 45 mins for me.
Then, add the following command to your Nginx configuration file:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Step 5: Enable OCSP stapling
OCSP stapling is a feature that allows web servers to provide a digitally signed response from the CA (Certificate Authority) about the validity of an SSL certificate. To enable OCSP stapling, add the following command to your Nginx configuration file:
ssl_stapling on;
ssl_stapling_verify on
In conclusion, securing your website with HTTPS is crucial in today’s digital landscape, and Nginx provides a variety of options for improving your SSL configuration. By following the steps outlined in this quick guide, you can ensure that your website is protected against interception and unauthorized access. Redirecting all HTTP traffic to HTTPS, enabling HSTS, using strong SSL ciphers and Diffie-Hellman keys, and enabling OCSP stapling are all important measures that can significantly enhance your website’s security. With these simple commands, you can take a proactive approach to protecting your users’ data and improving their trust in your website.