Skip to content

Commit

Permalink
Merge pull request meteorhacks#11 from edmundkwok/master
Browse files Browse the repository at this point in the history 
Implement stronger Diffie-Hellman key for nginx
  • Loading branch information
@arunoda
arunoda committed Feb 11, 2016
2 parents 0ac6ee6 + 6be8393 commit ac609e7
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
7 changes: 5 additions & 2 deletions lib/install-nginx.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ useradd $NGINX_USER || :

# install dependencies
apt-get update
apt-get -y install libpcre3-dev libssl-dev build-essential wget
apt-get -y install libpcre3-dev libssl-dev openssl build-essential wget

# start building process

Expand All @@ -34,4 +34,7 @@ make install

# remove build specific libraries
apt-get -y remove build-essential wget
apt-get -y autoremove
apt-get -y autoremove

# generate new Diffie-Hellman group
openssl dhparam -out /dhparams.pem 2048
5 changes: 3 additions & 2 deletions lib/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,12 @@ http {
ssl_certificate /bundle.crt;
ssl_certificate_key /private.key;

# As recommended by Mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS
# As recommended by https://weakdh.org/sysadmin.html to deploy a strong Diffie-Hellman key.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
ssl_prefer_server_ciphers on;
ssl_dhparam /dhparams.pem;

# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
Expand Down

0 comments on commit ac609e7

Please sign in to comment.