In this guide we will show you how to setup an SSL Certificate for a domain on your NGINX VPS or Dedicated Server while putting into place the best security options and configurations including selecting the most secure cipher suite.
We assume you have your SSL Certificate issued and the private key ready to install on your server already. If not you will need to look into how to generate a CSR and Private Key to order and get issued your new SSL Certificate.
First lets copy the SSL Certificate and private key to your server. This is commonly done to to the /etc/ssl folder on CentOS.
You also want to combine all your Intermediate Certificate that may have been supplied by the Certificate Authority with your own ssl certificate. This can be done via:
cat your_domain_name.crt intermediate.crt >> mycert.crt
Or use a program such as nano to generate a .crt file and paste in your certificates.
And also create a.key file for your Private Key. So you should now have the 2 file:
/etc/ssl/mycert.crt
/etc/ssl/mycert.key
The next step is to create a dhparam.pem file. The Diffie-Hellman parameter we will set is to make sure 2048 bits is used. Any less is insecure. So run the following command:
openssl dhparam -out /etc/ssl/dhparam.pem 2048
Now we need to configure our NGINX.
Go to your nginx configuration file for your website. This will most likely be in the folder /etc/nginx/conf.d Or somewhere in the /etc/nginx folder. Usualy named: yourdomain_com_au.conf
cd /etc/nginx/conf.d
once you have found your conf file for the domain you are installing the ssl for, edit it with your favourite editor.
nano yourdomain_com_au.conf
and add the following lines near the top (not in your server block)…
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
Now in your server block…. server {}
Add these lines
ssl_certificate /etc/ssl/mycert.crt; #the path to your .crt file created above
ssl_certificate_key /etc/ssl/mycert.key; #the path to your .key file created above
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/ssl/dhparam.pem; #path to the dhparam.pem file created above
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
make sure you have your server block listening on port 443 for the ssl and restart nginx, and test your site with https://www.ssllabs.com/ssltest/ and you should see a score of A or more.