Get 100% score on SSLLabs with NGINX and Let's-Encrypt
SSL Labs is a collection of documents, tools and thoughts related to SSL. It's an attempt to better understand how SSL is deployed, and an attempt to make it better. I hope that, in time, SSL Labs will grow into a forum where SSL will be discussed and improved.
SSL Labs is a non-commercial research effort, and we welcome participation from any individual and organization interested in SSL.
-- Ivan Ristić, Qualys
You may test your website now, to see the current score:
https://www.ssllabs.com
If you can get an A, it is good enough.
But if you are a perfectionist, you may want to read the points below.
Request 4096-bit key from Let's-Encrypt
Add this parameter with certbot
--rsa-key-size 4096
Use only TLS v1.2
In /etc/nginx/nginx.conf
ssl_protocols TLSv1.2;
Use safe cipher
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
Use 4096-bit DH-Parameters
Generate DH-Parameters on your server
sudo openssl dhparam 4096 -out /etc/nginx/cert/dhparam.pem
In /etc/nginx/nginx.conf
ssl_dhparam /etc/nginx/cert/dhparam.pem;
Use HTTP Strict Transport Security
In /etc/nginx/nginx.conf
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Sample nginx.conf (partial)
http {
##
# SSL Settings
##
ssl on;
ssl_certificate /etc/letsencrypt/live/y2kbug.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/y2kbug.xyz/privkey.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:TLS:2m;
ssl_session_timeout 5m;
ssl_buffer_size 4k;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/cert/dhparam.pem;
server_tokens off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
And it's time to test again now
Please do remember to restart NGINX!
https://www.ssllabs.com