Skip to main content

Forward Secrecy for nginx

In today's world, data encryption is not just a whim, but a direct necessity. In particular, encrypting http traffic is of great importance for all sites where any personal data is processed. And also to protect against mitm attacks.

Thus, the use of Forward Secrecy on web servers becomes mandatory for each site that works using the https protocol and allows you to improve the strength of information encryption.

Forward secrecy can be properly configured in nginx.

Suppose you have a site that needs to support https work. First of all you need to create a Diffie-Hellman key.

  # openssl dhparam -out /etc/nginx/ssl/dh-2048.pem 2048 

And set the appropriate access rights for it.

  # chmod 0600 /etc/nginx/ssl/dh-2048.pem 

Next you need to configure nginx. Here is an example configuration for a site running ssl.

 server {server_name;  listen 80;  listen 443 ssl;  ssl_certificate /etc/nginx/ssl/example.com_crt.pem;  ssl_certificate_key /etc/nginx/ssl/example.com_key.pem;  ssl_dhparam ssl / dh-2048.pem;  ssl_ciphers ECDH: DH:! ADH:! AECDH:! SEED:! DES:! 3DES:! RC4:! NULL;  ...} 

Consider each variable.

ssl_dhparam - the path to the file with the Diffie-Hellman key. You can specify the path relative to the directory with the nginx configuration files.

ssl_ciphers - ciphers to be used for ssl connections. I have ciphers selected for prosody . The minimum key length is 128 bits. All support forward secrecy.

After configuring nginx, restart with the service nginx restart command.

To test the settings, use the service. In the test results, in the paragraph “Protocol Details”, there should be such a result:

Результаты теста ssl

How do you rate the article?
Звёзд: 1Звёзд: 2Звёзд: 3Звёзд: 4Звёзд: 5 ( 1 rating, average: 5.00 out of 5)

” Commentary “ Forward Secrecy for nginx

  1. What about backward compatibility?

    I recommend this set: ECDH: DH: EECDH: + AES256: -3DES: RSA + AES: RSA + 3DES:! NULL:! RC4;

Add a comment

Your email will not be published.