Hello World! Welcome to this blog. I am @ Palo Alto Networks by day and author of this blog by night.
Most of the posts highlight what I am focused on and express work and personal experience. Reason I put them here - recall later or help someone else with similar challenge.
This awesome thing made my blog moved to https with A+ rating. There are few steps to patch nginx.
The very first thing is to install certbot for your system, check this. I did this with flag «--manual».
certbot certonly --manual
I also created secure Diffie-Hellman group with the following:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Finally added few strings to my nginx site.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 77.88.55.80 5.255.255.80 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
}
By reloading nginx we can go ahead and check out https. 301 redirects HTTP → HTTPS are the rest to polish overall configuration! That's it!
Check it out here.
