Chrome, Firefox, Safari will at least check a website in the list of HSTS Preloading. Here is the right Nginx configuration for HSTS preload. We have talked about What is HTTP Strict Transport Security (HSTS) Preload List in the previously published article. Here is the working Nginx Configuration for HSTS Preload Test Passing.
Nginx Configuration for HSTS Preload : Before We Begin
This configuration is for Rackspace Cloud and we use fully default settings of Nginx. You should read the previous guide – SSL Grade Optimization Tweak For Rackspace Cloud Server. Basically, 90% has been done on the older guides. Smaller tweak is required to get the thing we want. It is, very easy.
Nginx Configuration for HSTS Preload
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples server { listen 80; listen [::]:80 ipv6only=on; # rest of the all stuffs will be here # we skipped to HTTPS # Includes HSTS Preload } # HTTPS server # server { listen 443 ssl spdy default; keepalive_timeout 70; server_name thecustomizewindows.com; server_tokens off; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; root /usr/share/nginx/html; index index.php index.html index.htm; ssl on; access_log off; spdy_headers_comp 0; ssl_certificate /etc/nginx/ssl/thecustomizewindows.com.crt; ssl_certificate_key /etc/nginx/ssl/thecustomizewindows.com.key; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_session_timeout 10m; ssl_session_cache shared:NginxCache123:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/signed_cert_plus_intermediate.crt; resolver 8.8.8.8 8.8.4.4 valid=86400; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; location ~ \.php$ { # fastcgi_split_path_info ^(.+\.php)(/.+)$; # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # # # With php5-cgi alone: # fastcgi_pass 127.0.0.1:9000; # # With php5-fpm: fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=101M"; fastcgi_index index.php; fastcgi_buffer_size 128k; fastcgi_buffers 256 16k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; include fastcgi_params; # BEGIN W3TC stuffs ## W3C stuffs here # END W3TC stuffs } location / { try_files $uri $uri/ /index.php; } } # if more thing exits will go here |
All are discussed before. This is enough to get a A+ on SSLlabs test :
---
1 2 3 4 5 6 7 | https://www.ssllabs.com/ssltest/analyze.html?d=thecustomizewindows.com # this will give you # our result, which is Certificate 100 Protocol Support 95 Key Exchange 90 Cipher Strength 90 |
To generate the dhparam.pem file, you will run :
1 2 | openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 # /etc/nginx/ssl/ is my path |
Yes, security or grade can be increased more, but Windows and Internet Explorer will create problems :
1 | https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=6&platform=XP |
