Configuring your server for SSL can be a little overwhelming. To help with this I am writing three posts (one for Nginx, Apache and IIS) with example configurations that (to the extent possible) result in the same configuration regardless of what server you are using.
Let’s start with Nginx, for this site :
- Running nginx/1.4.1 and openssl 1.0.1e
- All static content is handled by Nginx.
- All dynamic content is handled by Node.js and Express.
- We use the X-Frame-Options header to help protect from Click-Jacking.
- We use the X-Content-Security-Policy
header to help protect from Cross-Site-Scripting.
- All requests for content received over http are redirected to https.
- Once the user visits the https version of the site the Strict-Transport-Security header instructs the browser to always start with the https site.
- We have chosen SSL cipher suites to offer a blend of performance and security.
- We have disabled SSL v2 and v3 and enabled all versions of TLS.
- We have enabled OCSP stapling.
- We have enabled SSL session caching.
- We have put all certificates and keys into their own folder (certs.d/).
- Set the owner of the of the certs.d folder to the process that the server runs as.
- We have restricted the certs.d folder and key files so only the owner can read and write (chmod 600).
Here is the configuration file: