Before you configure your Nginx server for Forward Secrecy, your web server and SSL/TLS library should support Elliptic Curve cryptography (ECC).
Minimum Required Versions
-
OpenSSL 1.0.1c+
-
Nginx 1.0.6+ and 1.1.0+
Note: Because of the Heartbleed bug and OpenSSL vulnerabilities, you should update to the most recent versions (i.e. OpenSSL version 1.0.1h).
How to Configure Nginx for Forward Secrecy
To configure Nginx for Forward Secrecy, you configure the server to actively choose cipher suites and then activate the right OpenSSL cipher suite configuration string.
-
Locate your SSL Protocol Configuration on your Nginx server.
For example,
-
Type the following command:
grep -r ssl_protocol /etc/nginxIn this example, /etc/nginx is the base directory for the Nginx installation.
-
The command will out put the available Server Blocks.
-
Open the Server Block for which you are enabling Forward Secrecy.
-
-
Add the following lines to your configuration:
-
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
-
ssl_prefer_server_ciphers on;
-
For ssl_ciphers, use one of the following configurations:
-
Configure with RC4
Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and RC4 (RC4 is resistant to BEAST). To improve performance, use the faster ECDHE suites whenever possible.
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; -
Configure without RC4
Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and you prefer not to use RC4. To improve performance, use the faster ECDHE suites whenever possible.
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; -
Configure with RC4 as a last resort to support wide range and older browsers
Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and you want to use RC4 only as a last resort in order to support a wide range of browsers and/or older browsers. To improve performance, use the faster ECDHE suites whenever possible.
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";
-
-
-
Restart Nginx.
For example, type the following command:
sudo service nginx restart -
To verify that you have enabled Forward Secrecy, use the Qualys SSL Labs to test your configuration.
-
You have successfully configured Nginx for Forward Secrecy.
