Skip to main content

How to Harden Vesta Nginx with Let's Encrypt SSL Certificate ?

Nginx 1.17.10 working as a reverse proxy for Vesta Admin Control Panel where it is installed as nginx-vesta. You can check the vesta-nginx version:
# /usr/local/vesta/nginx/sbin/vesta-nginx -v
nginx version: nginx/1.12.2
Vesta Nginx Location
# cd /usr/local/vesta/nginx
Take Backup vesta-nginx configuration file
# cd /usr/local/vesta/nginx/conf
# cp -a nginx.conf nginx.conf-bak
1. Replace the below code 
# vi /usr/local/vesta/nginx/conf/nginx.conf

# SSL PCI Compliance
ssl_protocols               TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers                 EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache           shared:SSL:10m;
ssl_prefer_server_ciphers   on;
With
# SSL Settings
#ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers   on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_timeout 10m;
ssl_session_cache   shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
  
# OCSP stapling
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
  
port_in_redirect off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
2. Replace the below code 
ssl                  on;
ssl_certificate      /usr/local/vesta/ssl/certificate.crt;
ssl_certificate_key  /usr/local/vesta/ssl/certificate.key;

ssl_session_cache    shared:SSL:10m;
ssl_session_timeout  10m;
With
ssl                  on;
ssl_certificate      /usr/local/vesta/ssl/certificate.crt;
ssl_certificate_key  /usr/local/vesta/ssl/certificate.key;

# SSL Settings
#ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers   on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_timeout 10m;
ssl_session_cache   shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
  
# OCSP stapling
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
  
port_in_redirect off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
Check Vesta-Nginx syntax and Restart
# /usr/local/vesta/nginx/sbin/vesta-nginx -t
Labels:
Reactions:

Comments

Post a Comment