Category Archives: SSL

How to get an A+ Rating with 100% score on the SSLLabs Test with NGINX

It can be a challange to get an A+ rating on a SSLLabs test, but i have done a configuration below that you are welcome to steal.

listen   443;


        ssl    on;
        ssl_prefer_server_ciphers on;
        ssl_session_cache    shared:SSL:50m;
        ssl_session_timeout  10m;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000";
        ssl_certificate    /etc/nginx/ssl/pvangsgaard.com.pem;
        ssl_protocols       TLSv1.1 TLSv1.2;
        ssl_ciphers TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:AES256+EECDH:AES256+EDH:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:!aNULL;
        ssl_ecdh_curve secp384r1;
        ssl_certificate_key    /etc/nginx/ssl/pvangsgaard.com.key;

My pem file is just a text file containing the signed certificate and a SSL bundle.

To generate your dhparam.pem file, run in the terminal

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

apache | redirect from http to https

I found this guide to how to redirect http to https on the apache wiki

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

I use it within the virtualhost container like this

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

ServerAdmin webmaster@somesite.tld
ServerName somesite.tld
ServerAlias www.somesite.tld
DocumentRoot /home/somesite/public_html

ErrorLog /var/log/apache2/somesite.tld-error.log
CustomLog /var/log/apache2/somesite.tld-access.log combined

DocumentRoot /home/somesite/public_html

ErrorLog /var/log/apache2/somesite.tld-error.log
CustomLog /var/log/apache2/somesite.tld-access.log combined
</virtualhost>

Then you can have your ssl <virtualhost *:443> section

That ensure that if another application like wordpress wan’t to write something to .htacces then it will not we overwritten.

SSL | Generate self-signed certificate and key in one line

If you need a quick self-signed certificate, you can create a key/pair, sign it in just one line.

openssl req -subj '/O=Company Name/CN=domain.com/C=US' -new -newkey rsa:2048 -days 1095 -nodes -x509 -keyout server.key -out server.crt

Replace Company Name, Domain with your own.

I would also recommend calling the server keys something like domain.tld.key/crt

This certificate will expire after 3 years (1095 days)