====== Configure NGINX web server to use SSL ====== - You need an installed [[linux:install:webserver|NGINX web server]] - You also need an [[linux:openssl|SSL key and certificate]], but you can use [[linux:nginx:letsencrypt|Let's Encrypt]] for signed SSL certificates as well. - Copy the certificate and key to ''/etc/ssl'' - Configure the server to serve an SSL site: cat > /tmp/ssl<< EOF server { listen 443 ssl http2; ssl on; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/cert.key; ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 5m; ssl_session_cache shared:SSL:10m; ssl_stapling on; ssl_stapling_verify on; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; keepalive_timeout 90; location / { proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$remote_addr; proxy_set_header Host \$host; proxy_pass http://127.0.0.1:80; } } EOF sudo mv /tmp/ssl /etc/nginx/sites-available/ sudo ln -s /etc/nginx/sites-available/ssl /etc/nginx/sites-enabled/ssl cd /etc/ssl/certs sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 sudo service nginx reload