Article Image

This new site, Cipherli.st, allows you to get configurations for the major web server and proxy software suites to ensure they are using the most secure ssl/tls cipher settings for serving out sensitive content, or anything on port 443.

The configs are copy/pastable into your web server configuration.
Be sure to check there for the latest, most secure confs.

Example for nginx:

ssl_ciphers "AES256+EECDH:AES256+EDH";  
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  
ssl_prefer_server_ciphers on;  
ssl_session_cache shared:SSL:10m;  
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";  
add_header X-Frame-Options DENY;  
ssl_stapling on; # Requires nginx >= 1.3.7  
ssl_stapling_verify on; # Requires nginx => 1.3.7  
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;  
resolver_timeout 5s;  

They even have one for HAProxy (<3):

global  
   ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
   ssl-default-bind-ciphers AES256+EECDH:AES256+EDH

frontend http-in  
      mode http
      option httplog
      option forwardfor
      option http-server-close
      option httpclose
      bind 192.0.2.10:80
      redirect scheme https code 301 if !{ ssl_fc }

frontend https-in  
    option httplog
    option forwardfor
    option http-server-close
    option httpclose
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
    rspadd X-Frame-Option:\ DENY
    bind 192.0.2.10:443 ssl crt /etc/haproxy/haproxy.pem ciphers AES256+EECDH:AES256+EDH force-tlsv12 no-sslv3
Blog Logo

Mario Loria


Published

Image

./scriptthe.net

Because 127.0.0.1 gets old after a while.

Back to Overview