How to Properly Configure SSL on nginx


With news of the latest security bug — this week in SSLv3, I went into the SSL configuration for and found the following:

ssl_protocols include SSLv3 — no good. Removed it and restarted nginx. In the spirit of good configurations, here is the full outline of the ssl configuration for nginx:

listen 443 ssl; // nginx needs to listen on 443 for ssl connections.
server_name; // server name. this should match your cert.
ssl_certificate /etc/nginx/ssl/bundle.crt; // location of your trusted cert path
ssl_certificate_key /etc/nginx/ssl/www.key; // location of your private key
ssl_session_cache shared:SSL:20m; // the slowest part of SSL is the start-up so lets cache it for 20 minutes.
ssl_session_timeout 10m; // same as previous, timeout after 10 minutes.
ssl_prefer_server_ciphers On; // in ssl_ciphers below, we’re going to give our preferred order of ciphers
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; // notice here, we only allow TLS. SSLv3 is removed.
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; // this is our preferred order of SSL ciphers. this is a generous list. you may want to shorten.
ssl_stapling on; // turn on SSL Stapling. A more efficient way to check if our cert has been revoked.
ssl_stapling_verify on; // same as previous
resolver valid=300s; // we have to give SSL stapling a DNS server to lookup. I prefer google’s servers.
resolver_timeout 10s;
add_header Strict-Transport-Security “max-age=31536000”; // This says: once we’re HTTPS, don’t go back to HTTP (for a while).

Not only should that give you a secure SSL connection with nginx, it should also make it pretty fast.