Skip to main content

How to Harden Nginx with Let's Encrypt SSL Certificate and get A+ Score from Qualys Lab ?

I have written those article previously for CentOS Web Panel for both Nginx + Varnish + Apache + PHP-FPM & Apache server only.
Source Details:
1. Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working
2. Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working
My Certificate Score after SSL hardening:

There are some changes needed for both article that i mentioned above. I will do it later for CentOS Web Panel. Now I have started to like VestaCP which is very lightweight control panel and It has many templates based on nginx for many CMS. I am using Nginx+PHP-FPM on Ubuntu 16.04 L.T.S . I have added 4096 bits Let's Encrypt SSL for VestaCP Admin Panel which is working perfectly and no warning getting from any browser.
Article : How to Configure 4096 bits Let's Encrypt SSL for VestaCP Control (Admin) Panel?

Using a SSL certificate that doesn't mean you are secure. You have to harden(secure) your SSL configuration. My default SSL rating is B.
N.B: I am using the below cipherlist . You can use either mozilla SSL Configuration Generator .
Resource Link:
mozilla SSL Configuration Generator

Before Proceed , Check your nginx and openssl version:
Before doing any changes, Take backup first your nginx configuration file
# cd /etc/nginx/
# cp -a nginx.conf nginx.conf-bak
Generate 4096 bits DH_Param
# openssl dhparam -out /etc/nginx/dhparam.pem 4096

Add the below code to your Nginx Configuration file:
# vi /etc/nginx/nginx.conf

# SSL Settings
#ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers   on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_timeout 10m;
ssl_session_cache   shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# OCSP stapling
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
port_in_redirect off;
resolver valid=300s;
resolver_timeout 5s;
Check Nginx Syntax. If everything is okay, restart your Nginx server.
# nginx -t
# systemctl restart nginx
Visit SSL Labs to check your SSL Score:

What you see? My SSL score is A not A+ !

Just add the below code after # Mime Settings, The entire code will looks like:
# Mime settings
include             /etc/nginx/mime.types;
default_type        application/octet-stream;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options "SAMEORIGIN"  always;
add_header X-Content-Type-Options "nosniff"  always;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors;";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Feature-Policy "accelerometer 'none'; ";
Now Again Check with :

If you want to learn more , Just compare :