StartSLL and NGINX (equals awesome)

StartSSL is one of the best things I have ever used in my life. It has really helped me kickstart many of my projects, this blog just being one. StartSSL is an amazing idea/company. Giving out free SSL certificates? Ones that browsers actually trust? Sweet! So getting started is pretty easy. You get a certificate from StartSSL to install into your browser. Please make sure you put a backup of this certificate in your Google Drive, Dropbox, MEGA etc. If you lose this certificate, you cannot access your account again to retrieve your certificates and things. Basically, you verify your domain by sending an email to whatever email address is registered on that domain (e.g. [email protected]). You enter the registration code and voilá! Your domain is verified. Next steps is to create your key either by using the on-screen steps or

openssl genrsa -out domain.com.key 2048

EDIT: "openssl genrsa -out domain.com.key 4096" for a stronger key signature

Then the CSR…

openssl req -new -sha256 -key domain.com.key -out domain.com.csr

You’ll then have a certificate, way hey! Really really simple stuff and absolutely free! Next time you’re going to buy an SSL certificate, please, I implore you to buy from StartSSL to keep this amazing service going. Albeit it may be a tad more expensive than using a SSL reseller, but it’ll be supporting a god-damn good cause. Making the internet more secure for free.

Now onto the NGINX part of this thing. Pretty simple to install. Just a bit more to do with NGINX than Apache. All it really is is chucking 3 certificates into one file.

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
cat sub.class1.server.ca.pem >> ca.pem
cat domain.crt ca.pem > domaincombined.crt

Then to update your NGINX configuration files…

ssl_certificate {PATH_TO_CERTS}/domaincombined.crt;
ssl_certificate_key{PATH_TO_CERTS}/domain.key;
# these settings and ciphers get an A+ setting at ssllabs.com
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; # First attempt to serve request as file, then
 add_header X-Frame-Options DENY; # as directory, then fall back to displaying a 404.
 add_header X-Content-Type-Options nosniff;
 ssl_stapling on; # Requires nginx >= 1.3.7
 ssl_stapling_verify on;

Either reload or restart NGINX and you’re done! Let me know if I have made any mistakes or typo's!

A+ score on SSL labs

A very worthy edit: if you want to know why I've used those ciphers, have a look at the God-send that is cipherli.st. Best ciphers for all common protocols.