Recently I embarked on finding the optimal NGINX SSL security settings and stumbled across this post: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html


For a number of reasons, it recommends disabling SSLv3 (as a result of its insecurity), settings AES256 as the standard cipher to utilize and a couple of other things that can prevent attacks. Good stuff to tighten up security on an NGINX SSL implementation.

Here is an example config used in the original post:



server {

listen [::]:443 default_server;

ssl on;
ssl_certificate_key /etc/ssl/cert/raymii_org.pem;
ssl_certificate /etc/ssl/cert/ca-bundle.pem;

ssl_ciphers ‘AES256+EECDH:AES256+EDH:!aNULL’;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

root /var/www/;
index index.html index.htm;
server_name raymii.org;

}