Nginx – Hardening SSL security by protecting from well-known attack vectors

Published on Author gryzli

Recently bunch of SSL attacks pop out, some of which get lot of public attention:

  • Heartbleed
  • Beast attack
  • Crime attack
  • Freak attack
  • Poodle
  • …..and so on ….


Disabling SSLv3 and SSLv2 and Excluding Weak Cipher-Suites


If you want to protect your Nginx from the biggest part of these attacks, you can add the following code snippet to your Nginx config:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;


Check Nginx configuration and restart

/etc/init.d/nginx configtest

/etc/init.d/nginx reload


Protecting from Logjam and Deploying Diffie-Hellman for TLS

1. Generate Strong DH

openssl dhparam -out dhparams.pem 2048

2. Copy to nginx dir

cp dhparams.pem /etc/nginx/conf.d/

3. Configure Nginx to use the new dhparams file

ssl_dhparam /etc/nginx/conf.d/dhparams.pem;


4. Check Nginx configuration and restart

/etc/init.d/nginx configtest

/etc/init.d/nginx reload


External resources and Tools

Detail info on different attacks and how to protect yourself

Check if you are using weak DH and how to fix it:

Checking your overall site security: