Perfect forward secrecy and HSTS with nginx

Today, I enabled perfect forward secrecy on my nginx installation. I’m writing down the config so I can easily find it later.

I just put the below config lines in a file called /etc/nginx/conf.d/ssl.conf and now SSLlabs show PFS is enabled.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

The SSL cipher suite has been borrowed from this Mozilla wiki.

You need to create dhparam.pem by doing this in a root shell:

# openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Enable HTTP Strict Transport Security (HSTS) by putting this in the relevant site configs:

add_header Strict-Transport-Security max-age=63072000;

To add OSCP stapling, also add these lines:

ssl_trusted_certificate /path/to/intermediates/plus/ca/root/certificate;
ssl_stapling on;
ssl_stapling_verify on;

To prevent attacks with <iframe> tags, add:

add_header X-Frame-Options DENY; # or SAMEORIGIN

To stop browsers from sniffing the MIME response type:

add_header X-Content-Type-Options nosniff;

Don’t forget to restart nginx after making this change.

Thom Wiggers
PhD candidate