Nginx – Hardening SSL security by protecting from well-known attack vectors

Published on Author gryzliLeave a comment

Recently bunch of SSL attacks pop out, some of which get lot of public attention:

  • Heartbleed
  • Beast attack
  • Crime attack
  • Freak attack
  • Poodle
  • …..and so on ….

 

Disabling SSLv3 and SSLv2 and Excluding Weak Cipher-Suites

 

If you want to protect your Nginx from the biggest part of these attacks, you can add the following code snippet to your Nginx config:

 

Check Nginx configuration and restart

 

Protecting from Logjam and Deploying Diffie-Hellman for TLS

1. Generate Strong DH

2. Copy to nginx dir

3. Configure Nginx to use the new dhparams file

 

4. Check Nginx configuration and restart

 

External resources and Tools

Detail info on different attacks and how to protect yourself

Check if you are using weak DH and how to fix it: https://weakdh.org/sysadmin.html

Checking your overall site security: https://www.ssllabs.com/ssltest/analyze.html

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.