DEV Community

Cover image for How to securely configure nginx for production step by step
Ankan Saha
Ankan Saha

Posted on

How to securely configure nginx for production step by step

1) Use a strong cipher suite:

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES:DHE-RSA-AES:RSA-AES256-GCM-SHA512:RSA-AES256-SHA256:RSA-AES128-GCM-SHA256:RSA-AES128-SHA256;

2) Use a strong SSL/TLS protocol:

ssl_protocols TLSv1.2 TLSv1.3;

3) Use a strong key exchange algorithm:

ssl_dhparam dhparam.pem;

4) Use a strong message authentication code (MAC):

ssl_prefer_server_ciphers on;

5) Set a reasonable security level:

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 5m;

6) Use a strong Diffie-Hellman group:

ssl_ecdh_curve prime256v1:secp384r1;

7) Use only safe renegotiation:

ssl_stapling on;

ssl_stapling_verify on;

8) Use only secure protocols and ciphers:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

9) Use only secure protocols:

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES:DHE-RSA-AES:RSA-AES256-GCM-SHA512:RSA-AES256-SHA256:RSA-AES128-GCM-SHA256:RSA-AES128-SHA256;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers on;

10) Use only secure ciphers:

ssl_ecdh_curve prime256v1:secp384r1;

11) Use only secure renegotiation:

ssl_stapling on;

ssl_stapling_verify on;

12) Use only secure protocols and ciphers:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

Top comments (0)