Here are the tweaks for SSL Grade Optimization for Rackspace Cloud Server for a typical Nginx web server. We have also explained the terms. We are writing as SSL Grade Optimization Tweak For Rackspace Cloud Server but actually it is TLS Grade Optimization Tweak For Rackspace Cloud Server because we now use TLS not SSL. If you are not sure about SSL/TLS things, first read our guide to determine which SSL certificate you need. Any Quick SSL will work fine for developmental purpose, but without better certificate, Grade can get decreased in some third party test.
The Need For SSL Grade Optimization Tweak For Rackspace Cloud Server
So we are going to follow this guide Install WordPress with Nginx on Rackspace Cloud Server or something closer you read somewhere, it really does not matter. We can easily add this server as a node behind a load balancer and server HTTPS pages, right? But this trick will fail to get A+ Grade or kind of same on most SSL/TLS cert testing tools. Thats for internal usage. For external and public usage you need another server working as loadbalancer in front or the server in front. Later is least costly and requires lesser technical expatriation.
SSL Grade Optimization Tweak For Rackspace Cloud Server
This is valid for 2 GB (minimum) instance on Rackspace Cloud only. You can use the settings for other plain web hosts but you might need real tweaks. First, keep the load balancer (if you have any) and serve HTTPS pages in the way we commonly do – by adding the certs on loadbalancer. We will debug by using the load balancer – you will add the same server’s port 443 and set port 80 to disabled to test. Else you can check with bare IP. As there will be nothing at the end (you will remove the loadbalancer) you must take care of your server.
---
We recommend to use a dev setup to test. Just for example, on this Test we scored A+ :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=thecustomizewindows.com |
This is absolutely like our page speed optimization. By the way, all cache plugins, CDN should be off. Otherwise it will become difficult to debug. WordPress throw lot of Errors with SSL and Nginx. You can not apply these tricks for another web host. They might not solve Rackspace specific settings.
SSL Grade Optimization Tweak For Rackspace Cloud Server : After SSH
Our need to work is with only this file :
1 | /etc/nginx/sites-available/default |
We have a way to do a config test for Nginx instead of directly reloading the wrong settings :
1 2 | nginx -t # test all files and return errors and warnings locations |
There are lot terminologies on that test page :
Server Key and Certificate : We will do here.
Additional Certificates (if supplied) : We will do here.
Certification Paths : We will do here.
Protocols : We will do here.
Cipher Suites : We will do here.
Handshake Simulation : All are clickable hyperlinks, you can click to optimize more.
Protocol Details : We will do here.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | # HTTPS server # server { listen 443 ssl spdy; keepalive_timeout 70; # change server_name thecustomizewindows.com; root /usr/share/nginx/html; index index.php index.html index.htm; ssl off; access_log off; # certs sent to the client are concatenated in ssl_certificate # change ssl_certificate /etc/nginx/ssl/thecustomizewindows.com.crt; # change ssl_certificate_key /etc/nginx/ssl/thecustomizewindows.com.key; # Diffie-Hellman parameter for DHE cipher suites ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_session_timeout 5m; ssl_session_cache shared:NginxCache123:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; # Enable for HSTS add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; # verify chain of trust # change ssl_trusted_certificate /etc/nginx/ssl/signed_cert_plus_intermediate.crt; resolver 8.8.8.8 8.8.4.4; location ~ \.php$ { fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=101M"; fastcgi_index index.php; include fastcgi_params; } location / { try_files $uri $uri/ /index.php; } |
First create a directory at /etc/nginx/ssl/ by :
1 | mkdir -p /etc/nginx/ssl/ && cd /etc/nginx/ssl/ |
You can read this post for details :
1 | https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL |
But, basically you will not build but install Nginx with apt get install command. Concatenated files are described on your cert provider’s help page – simple copy pasting two certs. Diffie-Hellman parameter should be generated by this command :
1 | openssl dhparam -rand “ 2048 |
You can read details here :
1 | http://h71000.www7.hp.com/doc/83final/ba554_90007/ch06s06.html |
After you run config test, dhparam can through error. You should uncomment it and again test. Then reload the config and restart :
1 2 3 4 | service nginx reload # [ OK ] output expected service nginx restart # [ OK ] output expected |
As said, this is specifically for WordPress with permalinks on Rackspace using Nginx. Do not blindly copy and first take a backup of your working file via FTP if its comfortable to you. It does not matter whether port 80 is default or port 443. That is of theoretical importance.
